server (fs): `path` cannot contain `..`
This commit is contained in:
parent
2cca093d26
commit
bb8a42b080
|
@ -857,9 +857,9 @@ checksum = "73cbba799671b762df5a175adf59ce145165747bb891505c43d09aefbbf38beb"
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "memchr"
|
name = "memchr"
|
||||||
version = "2.4.1"
|
version = "2.5.0"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a"
|
checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "mime"
|
name = "mime"
|
||||||
|
@ -947,9 +947,9 @@ dependencies = [
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "num-integer"
|
name = "num-integer"
|
||||||
version = "0.1.44"
|
version = "0.1.45"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "d2cc698a63b549a70bc047073d2949cce27cd1c7b0a4a862d08a8031bc2801db"
|
checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"autocfg",
|
"autocfg",
|
||||||
"num-traits",
|
"num-traits",
|
||||||
|
@ -1016,7 +1016,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "87f5ec2493a61ac0506c0f4199f99070cbe83857b0337006a30f3e6719b8ef58"
|
checksum = "87f5ec2493a61ac0506c0f4199f99070cbe83857b0337006a30f3e6719b8ef58"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"lock_api",
|
"lock_api",
|
||||||
"parking_lot_core 0.9.2",
|
"parking_lot_core 0.9.3",
|
||||||
]
|
]
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
|
@ -1035,9 +1035,9 @@ dependencies = [
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "parking_lot_core"
|
name = "parking_lot_core"
|
||||||
version = "0.9.2"
|
version = "0.9.3"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "995f667a6c822200b0433ac218e05582f0e2efa1b922a3fd2fbaadc5f87bab37"
|
checksum = "09a279cbf25cb0757810394fbc1e359949b59e348145c643a939a525692e6929"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"cfg-if",
|
"cfg-if",
|
||||||
"libc",
|
"libc",
|
||||||
|
@ -1262,9 +1262,9 @@ dependencies = [
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "serde_json"
|
name = "serde_json"
|
||||||
version = "1.0.79"
|
version = "1.0.80"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "8e8d9fa5c3b304765ce1fd9c4c8a3de2c8db365a5b91be52f186efc675681d95"
|
checksum = "f972498cf015f7c0746cac89ebe1d6ef10c293b94175a243a2d9442c163d9944"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"itoa",
|
"itoa",
|
||||||
"ryu",
|
"ryu",
|
||||||
|
@ -2003,9 +2003,9 @@ checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "windows-sys"
|
name = "windows-sys"
|
||||||
version = "0.34.0"
|
version = "0.36.1"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "5acdd78cb4ba54c0045ac14f62d8f94a03d10047904ae2a40afa1e99d8f70825"
|
checksum = "ea04155a16a59f9eab786fe12a4a450e75cdb175f9e0d80da1e17db09f55b8d2"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"windows_aarch64_msvc",
|
"windows_aarch64_msvc",
|
||||||
"windows_i686_gnu",
|
"windows_i686_gnu",
|
||||||
|
@ -2016,33 +2016,33 @@ dependencies = [
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "windows_aarch64_msvc"
|
name = "windows_aarch64_msvc"
|
||||||
version = "0.34.0"
|
version = "0.36.1"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "17cffbe740121affb56fad0fc0e421804adf0ae00891205213b5cecd30db881d"
|
checksum = "9bb8c3fd39ade2d67e9874ac4f3db21f0d710bee00fe7cab16949ec184eeaa47"
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "windows_i686_gnu"
|
name = "windows_i686_gnu"
|
||||||
version = "0.34.0"
|
version = "0.36.1"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "2564fde759adb79129d9b4f54be42b32c89970c18ebf93124ca8870a498688ed"
|
checksum = "180e6ccf01daf4c426b846dfc66db1fc518f074baa793aa7d9b9aaeffad6a3b6"
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "windows_i686_msvc"
|
name = "windows_i686_msvc"
|
||||||
version = "0.34.0"
|
version = "0.36.1"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "9cd9d32ba70453522332c14d38814bceeb747d80b3958676007acadd7e166956"
|
checksum = "e2e7917148b2812d1eeafaeb22a97e4813dfa60a3f8f78ebe204bcc88f12f024"
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "windows_x86_64_gnu"
|
name = "windows_x86_64_gnu"
|
||||||
version = "0.34.0"
|
version = "0.36.1"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "cfce6deae227ee8d356d19effc141a509cc503dfd1f850622ec4b0f84428e1f4"
|
checksum = "4dcd171b8776c41b97521e5da127a2d86ad280114807d0b2ab1e462bc764d9e1"
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "windows_x86_64_msvc"
|
name = "windows_x86_64_msvc"
|
||||||
version = "0.34.0"
|
version = "0.36.1"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "d19538ccc21819d01deaf88d6a17eae6596a12e9aafdbb97916fb49896d89de9"
|
checksum = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680"
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "zeroize"
|
name = "zeroize"
|
||||||
|
|
|
@ -21,6 +21,14 @@ pub async fn handle(
|
||||||
let Json(request) = validate_json::<Request>(request)?;
|
let Json(request) = validate_json::<Request>(request)?;
|
||||||
let token = validate_jwt(config.jwt.secret.as_bytes(), &token)?;
|
let token = validate_jwt(config.jwt.secret.as_bytes(), &token)?;
|
||||||
|
|
||||||
|
// `path` cannot contain `..`
|
||||||
|
// to prevent attack attempts because by using a `..` you can access the previous folder
|
||||||
|
if request.path.contains("..") {
|
||||||
|
return Err(ServerError::FsError(FsError::ReadDir(
|
||||||
|
"the `path` must not contain `..`".to_string(),
|
||||||
|
)));
|
||||||
|
}
|
||||||
|
|
||||||
let response = match db.find_user_by_id(token.claims.sub).await {
|
let response = match db.find_user_by_id(token.claims.sub).await {
|
||||||
Ok(res) => {
|
Ok(res) => {
|
||||||
let user_path = format!(
|
let user_path = format!(
|
||||||
|
@ -59,14 +67,14 @@ pub async fn handle(
|
||||||
Response { files, dirs }
|
Response { files, dirs }
|
||||||
}
|
}
|
||||||
|
|
||||||
Err(err) => match err {
|
Err(err) => {
|
||||||
Error::UserNotFound => return Err(ServerError::AuthError(AuthError::UserNotFound)),
|
return match err {
|
||||||
_ => {
|
Error::UserNotFound => Err(ServerError::AuthError(AuthError::UserNotFound)),
|
||||||
return Err(ServerError::AuthError(AuthError::UnknowError(
|
_ => Err(ServerError::AuthError(AuthError::UnknowError(
|
||||||
err.to_string(),
|
err.to_string(),
|
||||||
)))
|
))),
|
||||||
|
}
|
||||||
}
|
}
|
||||||
},
|
|
||||||
};
|
};
|
||||||
|
|
||||||
Ok(Json(response))
|
Ok(Json(response))
|
||||||
|
|
|
@ -20,6 +20,14 @@ pub async fn handle(
|
||||||
let Json(request) = validate_json::<Request>(request)?;
|
let Json(request) = validate_json::<Request>(request)?;
|
||||||
let token = validate_jwt(config.jwt.secret.as_bytes(), &token)?;
|
let token = validate_jwt(config.jwt.secret.as_bytes(), &token)?;
|
||||||
|
|
||||||
|
// `path` cannot contain `..`
|
||||||
|
// to prevent attack attempts because by using a `..` you can access the previous folder
|
||||||
|
if request.path.contains("..") {
|
||||||
|
return Err(ServerError::FsError(FsError::ReadDir(
|
||||||
|
"the `path` must not contain `..`".to_string(),
|
||||||
|
)));
|
||||||
|
}
|
||||||
|
|
||||||
let response = match db.find_user_by_id(token.claims.sub).await {
|
let response = match db.find_user_by_id(token.claims.sub).await {
|
||||||
Ok(res) => {
|
Ok(res) => {
|
||||||
// get file content
|
// get file content
|
||||||
|
@ -39,7 +47,7 @@ pub async fn handle(
|
||||||
return Err(ServerError::FsError(FsError::FileAlreadyExists));
|
return Err(ServerError::FsError(FsError::FileAlreadyExists));
|
||||||
}
|
}
|
||||||
|
|
||||||
// create a directorys where the file will be placed
|
// create a directory where the file will be placed
|
||||||
// e.g. path ==> `/secret/files/images/screenshot.png`
|
// e.g. path ==> `/secret/files/images/screenshot.png`
|
||||||
// directories up to `/home/homedisk/{username}/secret/files/images/` will be created
|
// directories up to `/home/homedisk/{username}/secret/files/images/` will be created
|
||||||
match path.parent() {
|
match path.parent() {
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
use homedisk_database::User;
|
use axum::Extension;
|
||||||
|
use homedisk_database::{Database, User};
|
||||||
use homedisk_types::errors::{AuthError, ServerError};
|
use homedisk_types::errors::{AuthError, ServerError};
|
||||||
use rust_utilities::crypto::jsonwebtoken::{Claims, Token};
|
use rust_utilities::crypto::jsonwebtoken::{Claims, Token};
|
||||||
|
|
||||||
|
@ -10,3 +11,17 @@ pub fn create_token(user: &User, secret: &[u8], expires: i64) -> Result<String,
|
||||||
Err(_) => Err(ServerError::AuthError(AuthError::TokenGenerate)),
|
Err(_) => Err(ServerError::AuthError(AuthError::TokenGenerate)),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub async fn find_user(db: Extension<Database>, user_id: String) -> Result<User, ServerError> {
|
||||||
|
match db.find_user_by_id(user_id).await {
|
||||||
|
Ok(user) => Ok(user),
|
||||||
|
Err(err) => match err {
|
||||||
|
homedisk_database::Error::UserNotFound => {
|
||||||
|
Err(ServerError::AuthError(AuthError::UserNotFound))
|
||||||
|
}
|
||||||
|
_ => Err(ServerError::AuthError(AuthError::UnknowError(
|
||||||
|
err.to_string(),
|
||||||
|
))),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue