add files path traversal tests

2024-06-11 01:39:33 +00:00 · 2021-11-18 18:14:34 +00:00 · 2021-11-18 18:14:34 +00:00 · 56ee97f722
parent 66620a1012
commit 56ee97f722
2 changed files with 50 additions and 1 deletions
--- a/actix-files/src/path_buf.rs
+++ b/actix-files/src/path_buf.rs
@ -8,7 +8,7 @@ use actix_web::{dev::Payload, FromRequest, HttpRequest};

 use crate::error::UriSegmentError;

-#[derive(Debug)]
+#[derive(Debug, PartialEq, Eq)]
 pub(crate) struct PathBufWrap(PathBuf);

 impl FromStr for PathBufWrap {
@ -21,6 +21,8 @@ impl FromStr for PathBufWrap {

 impl PathBufWrap {
    /// Parse a path, giving the choice of allowing hidden files to be considered valid segments.
+    ///
+    /// Path traversal is guarded by this method.
    pub fn parse_path(path: &str, hidden_files: bool) -> Result<Self, UriSegmentError> {
        let mut buf = PathBuf::new();

@ -115,4 +117,24 @@ mod tests {
            PathBuf::from_iter(vec!["test", ".tt"])
        );
    }
+
+    #[test]
+    fn path_traversal() {
+        assert_eq!(
+            PathBufWrap::parse_path("/../README.md", false).unwrap().0,
+            PathBuf::from_iter(vec!["README.md"])
+        );
+
+        assert_eq!(
+            PathBufWrap::parse_path("/../README.md", true).unwrap().0,
+            PathBuf::from_iter(vec!["README.md"])
+        );
+
+        assert_eq!(
+            PathBufWrap::parse_path("/../../../../../../../../../../etc/passwd", false)
+                .unwrap()
+                .0,
+            PathBuf::from_iter(vec!["etc/passwd"])
+        );
+    }
 }
--- a/actix-files/tests/traversal.rs
+++ b/actix-files/tests/traversal.rs
@ -0,0 +1,27 @@
+use actix_files::Files;
+use actix_web::{
+    http::StatusCode,
+    test::{self, TestRequest},
+    App,
+};
+
+#[actix_rt::test]
+async fn test_directory_traversal_prevention() {
+    let srv = test::init_service(App::new().service(Files::new("/", "./tests"))).await;
+
+    let req =
+        TestRequest::with_uri("/../../../../../../../../../../../etc/passwd").to_request();
+    let res = test::call_service(&srv, req).await;
+    assert_eq!(res.status(), StatusCode::NOT_FOUND);
+
+    let req = TestRequest::with_uri(
+        "/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd",
+    )
+    .to_request();
+    let res = test::call_service(&srv, req).await;
+    assert_eq!(res.status(), StatusCode::NOT_FOUND);
+
+    let req = TestRequest::with_uri("/%00/etc/passwd%00").to_request();
+    let res = test::call_service(&srv, req).await;
+    assert_eq!(res.status(), StatusCode::NOT_FOUND);
+}