server (fs): `path` cannot contain `..`

2022-05-01 19:49:50 +02:00 · 2022-05-01 19:49:50 +02:00 · bb8a42b080
parent 2cca093d26
commit bb8a42b080
4 changed files with 60 additions and 29 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -857,9 +857,9 @@ checksum = "73cbba799671b762df5a175adf59ce145165747bb891505c43d09aefbbf38beb"

 [[package]]
 name = "memchr"
-version = "2.4.1"
+version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a"
+checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"

 [[package]]
 name = "mime"
@ -947,9 +947,9 @@ dependencies = [

 [[package]]
 name = "num-integer"
-version = "0.1.44"
+version = "0.1.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d2cc698a63b549a70bc047073d2949cce27cd1c7b0a4a862d08a8031bc2801db"
+checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
 dependencies = [
 "autocfg",
 "num-traits",
@ -1016,7 +1016,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "87f5ec2493a61ac0506c0f4199f99070cbe83857b0337006a30f3e6719b8ef58"
 dependencies = [
 "lock_api",
- "parking_lot_core 0.9.2",
+ "parking_lot_core 0.9.3",
 ]

 [[package]]
@ -1035,9 +1035,9 @@ dependencies = [

 [[package]]
 name = "parking_lot_core"
-version = "0.9.2"
+version = "0.9.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "995f667a6c822200b0433ac218e05582f0e2efa1b922a3fd2fbaadc5f87bab37"
+checksum = "09a279cbf25cb0757810394fbc1e359949b59e348145c643a939a525692e6929"
 dependencies = [
 "cfg-if",
 "libc",
@ -1262,9 +1262,9 @@ dependencies = [

 [[package]]
 name = "serde_json"
-version = "1.0.79"
+version = "1.0.80"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e8d9fa5c3b304765ce1fd9c4c8a3de2c8db365a5b91be52f186efc675681d95"
+checksum = "f972498cf015f7c0746cac89ebe1d6ef10c293b94175a243a2d9442c163d9944"
 dependencies = [
 "itoa",
 "ryu",
@ -2003,9 +2003,9 @@ checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"

 [[package]]
 name = "windows-sys"
-version = "0.34.0"
+version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5acdd78cb4ba54c0045ac14f62d8f94a03d10047904ae2a40afa1e99d8f70825"
+checksum = "ea04155a16a59f9eab786fe12a4a450e75cdb175f9e0d80da1e17db09f55b8d2"
 dependencies = [
 "windows_aarch64_msvc",
 "windows_i686_gnu",
@ -2016,33 +2016,33 @@ dependencies = [

 [[package]]
 name = "windows_aarch64_msvc"
-version = "0.34.0"
+version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "17cffbe740121affb56fad0fc0e421804adf0ae00891205213b5cecd30db881d"
+checksum = "9bb8c3fd39ade2d67e9874ac4f3db21f0d710bee00fe7cab16949ec184eeaa47"

 [[package]]
 name = "windows_i686_gnu"
-version = "0.34.0"
+version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2564fde759adb79129d9b4f54be42b32c89970c18ebf93124ca8870a498688ed"
+checksum = "180e6ccf01daf4c426b846dfc66db1fc518f074baa793aa7d9b9aaeffad6a3b6"

 [[package]]
 name = "windows_i686_msvc"
-version = "0.34.0"
+version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9cd9d32ba70453522332c14d38814bceeb747d80b3958676007acadd7e166956"
+checksum = "e2e7917148b2812d1eeafaeb22a97e4813dfa60a3f8f78ebe204bcc88f12f024"

 [[package]]
 name = "windows_x86_64_gnu"
-version = "0.34.0"
+version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cfce6deae227ee8d356d19effc141a509cc503dfd1f850622ec4b0f84428e1f4"
+checksum = "4dcd171b8776c41b97521e5da127a2d86ad280114807d0b2ab1e462bc764d9e1"

 [[package]]
 name = "windows_x86_64_msvc"
-version = "0.34.0"
+version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d19538ccc21819d01deaf88d6a17eae6596a12e9aafdbb97916fb49896d89de9"
+checksum = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680"

 [[package]]
 name = "zeroize"
--- a/server/src/fs/list.rs
+++ b/server/src/fs/list.rs
@ -21,6 +21,14 @@ pub async fn handle(
    let Json(request) = validate_json::<Request>(request)?;
    let token = validate_jwt(config.jwt.secret.as_bytes(), &token)?;

+    // `path` cannot contain `..`
+    // to prevent attack attempts because by using a `..` you can access the previous folder
+    if request.path.contains("..") {
+        return Err(ServerError::FsError(FsError::ReadDir(
+            "the `path` must not contain `..`".to_string(),
+        )));
+    }
+
    let response = match db.find_user_by_id(token.claims.sub).await {
        Ok(res) => {
            let user_path = format!(
@ -59,14 +67,14 @@ pub async fn handle(
            Response { files, dirs }
        }

-        Err(err) => match err {
-            Error::UserNotFound => return Err(ServerError::AuthError(AuthError::UserNotFound)),
-            _ => {
-                return Err(ServerError::AuthError(AuthError::UnknowError(
+        Err(err) => {
+            return match err {
+                Error::UserNotFound => Err(ServerError::AuthError(AuthError::UserNotFound)),
+                _ => Err(ServerError::AuthError(AuthError::UnknowError(
                    err.to_string(),
-                )))
+                ))),
            }
-        },
+        }
    };

    Ok(Json(response))
--- a/server/src/fs/upload.rs
+++ b/server/src/fs/upload.rs
@ -20,6 +20,14 @@ pub async fn handle(
    let Json(request) = validate_json::<Request>(request)?;
    let token = validate_jwt(config.jwt.secret.as_bytes(), &token)?;

+    // `path` cannot contain `..`
+    // to prevent attack attempts because by using a `..` you can access the previous folder
+    if request.path.contains("..") {
+        return Err(ServerError::FsError(FsError::ReadDir(
+            "the `path` must not contain `..`".to_string(),
+        )));
+    }
+
    let response = match db.find_user_by_id(token.claims.sub).await {
        Ok(res) => {
            // get file content
@ -39,7 +47,7 @@ pub async fn handle(
                return Err(ServerError::FsError(FsError::FileAlreadyExists));
            }

-            // create a directorys where the file will be placed
+            // create a directory where the file will be placed
            // e.g. path ==> `/secret/files/images/screenshot.png`
            // directories up to `/home/homedisk/{username}/secret/files/images/` will be created
            match path.parent() {
--- a/server/src/middleware/jwt.rs
+++ b/server/src/middleware/jwt.rs
@ -1,4 +1,5 @@
-use homedisk_database::User;
+use axum::Extension;
+use homedisk_database::{Database, User};
 use homedisk_types::errors::{AuthError, ServerError};
 use rust_utilities::crypto::jsonwebtoken::{Claims, Token};

@ -10,3 +11,17 @@ pub fn create_token(user: &User, secret: &[u8], expires: i64) -> Result<String,
        Err(_) => Err(ServerError::AuthError(AuthError::TokenGenerate)),
    }
 }
+
+pub async fn find_user(db: Extension<Database>, user_id: String) -> Result<User, ServerError> {
+    match db.find_user_by_id(user_id).await {
+        Ok(user) => Ok(user),
+        Err(err) => match err {
+            homedisk_database::Error::UserNotFound => {
+                Err(ServerError::AuthError(AuthError::UserNotFound))
+            }
+            _ => Err(ServerError::AuthError(AuthError::UnknowError(
+                err.to_string(),
+            ))),
+        },
+    }
+}