30 lines
707 B
Rust
30 lines
707 B
Rust
use axum::extract::Query;
|
|
use serde::Deserialize;
|
|
|
|
use crate::server::error::{Error, Result};
|
|
|
|
pub type PathQuery = Query<Path>;
|
|
|
|
#[derive(Debug, Clone, Deserialize)]
|
|
pub struct Path {
|
|
pub path: String,
|
|
}
|
|
|
|
pub fn validate_path(path: PathQuery) -> Result<String> {
|
|
let path = path.path.clone();
|
|
|
|
// `path` can't contain `..`
|
|
// to prevent attack attempts because by using a `..` you can access the previous folder
|
|
if path.contains("..") {
|
|
return Err(Error::InvalidPath);
|
|
}
|
|
|
|
// `path` can't contain `~`
|
|
// to prevent attack attempts because `~` can get up a directory on `$HOME`
|
|
if path.contains('~') {
|
|
return Err(Error::InvalidPath);
|
|
}
|
|
|
|
Ok(path)
|
|
}
|