1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
use extract::{Context, Error, Extract, ExtractFuture};
use futures::Poll;
use std::path::{self, Path, PathBuf};
use util::buf_stream::BufStream;
impl<B: BufStream> Extract<B> for PathBuf {
type Future = ExtractPathBuf;
fn extract(ctx: &Context) -> Self::Future {
use codegen::Source::*;
match ctx.callsite().source() {
Capture(idx) => {
let path = ctx.request().uri().path();
let value = ctx.captures().get(*idx, path).into();
ExtractPathBuf(value)
}
_ => unimplemented!("A PathBuf can only be extracted from a path capture for now"),
}
}
}
#[derive(Debug)]
pub struct ExtractPathBuf(String);
impl ExtractPathBuf {
fn check_for_path_traversal(&self) -> Result<(), Error> {
use self::path::Component::*;
let path_traversal_error = || Error::invalid_argument(&"Path traversal detected");
let mut depth: u32 = 0;
for c in Path::new(&self.0).components() {
match c {
Prefix(_) | RootDir => {
return Err(path_traversal_error());
}
CurDir => {
}
ParentDir => {
depth = match depth.checked_sub(1) {
Some(v) => v,
None => return Err(path_traversal_error()),
}
}
Normal(_) => {
depth += 1;
}
}
}
Ok(())
}
}
impl ExtractFuture for ExtractPathBuf {
type Item = PathBuf;
fn poll(&mut self) -> Poll<(), Error> {
self.check_for_path_traversal()?;
Ok(().into())
}
fn extract(self) -> Self::Item {
PathBuf::from(self.0)
}
}
#[cfg(test)]
mod test {
use super::*;
use futures::Async;
use std::path::Path;
#[test]
fn extract() {
let mut extractor = ExtractPathBuf("hello".into());
let poll_state = extractor.poll().expect("extractor failed");
assert_eq!(Async::Ready(()), poll_state);
assert_eq!(Path::new("hello"), extractor.extract());
}
#[test]
fn disallows_path_traversal() {
let mut extractor = ExtractPathBuf("..".into());
let poll_err = extractor.poll().unwrap_err();
assert!(poll_err.is_invalid_argument());
let mut extractor = ExtractPathBuf("a/..".into());
let poll_state = extractor.poll().expect("extractor failed");
assert_eq!(Async::Ready(()), poll_state);
assert_eq!(Path::new("a/.."), extractor.extract());
let mut extractor = ExtractPathBuf("../a".into());
let poll_err = extractor.poll().unwrap_err();
assert!(poll_err.is_invalid_argument());
let mut extractor = ExtractPathBuf("../a/b".into());
let poll_err = extractor.poll().unwrap_err();
assert!(poll_err.is_invalid_argument());
let mut extractor = ExtractPathBuf("a/../b".into());
let poll_state = extractor.poll().expect("extractor failed");
assert_eq!(Async::Ready(()), poll_state);
assert_eq!(Path::new("a/../b"), extractor.extract());
let mut extractor = ExtractPathBuf("a/b/..".into());
let poll_state = extractor.poll().expect("extractor failed");
assert_eq!(Async::Ready(()), poll_state);
assert_eq!(Path::new("a/b/.."), extractor.extract());
}
}