231 lines
7.6 KiB
Rust
231 lines
7.6 KiB
Rust
use std::path::{Component, Path, PathBuf};
|
|
|
|
use eyre::WrapErr;
|
|
|
|
fn canonicalize_base_dir(base_dir: &Path) -> eyre::Result<PathBuf> {
|
|
if !base_dir.is_absolute() {
|
|
eyre::bail!("Base directory must be absolute: {}", base_dir.display());
|
|
}
|
|
|
|
let canonical = std::fs::canonicalize(base_dir).unwrap_or_else(|_| base_dir.to_path_buf());
|
|
Ok(canonical)
|
|
}
|
|
|
|
fn sanitize_relative_path(relative_path: &str) -> eyre::Result<PathBuf> {
|
|
if relative_path.is_empty() {
|
|
eyre::bail!("Relative path cannot be empty");
|
|
}
|
|
|
|
if relative_path.contains('\0') {
|
|
eyre::bail!("Path contains null byte");
|
|
}
|
|
|
|
// Normalise Windows separators so that component checks work uniformly.
|
|
let normalised = relative_path.replace('\\', "/");
|
|
|
|
if normalised.starts_with("//") {
|
|
eyre::bail!("UNC paths are not allowed: {relative_path}");
|
|
}
|
|
|
|
if normalised.contains(":/") {
|
|
eyre::bail!("Path contains drive letter: {relative_path}");
|
|
}
|
|
|
|
let path = PathBuf::from(&normalised);
|
|
if path.is_absolute() {
|
|
eyre::bail!("Path must be relative, not absolute: {relative_path}");
|
|
}
|
|
|
|
Ok(path)
|
|
}
|
|
|
|
/// Validates and sanitizes a relative path to prevent directory traversal attacks.
|
|
///
|
|
/// # Errors
|
|
/// Returns an error if the path attempts to escape the base directory or contains invalid components.
|
|
pub fn validate_relative_path(base_dir: &Path, relative_path: &str) -> eyre::Result<PathBuf> {
|
|
let canonical_base = canonicalize_base_dir(base_dir)?;
|
|
let relative = sanitize_relative_path(relative_path)?;
|
|
|
|
let mut resolved = canonical_base.clone();
|
|
|
|
for component in relative.components() {
|
|
match component {
|
|
Component::Prefix(_) | Component::RootDir => {
|
|
eyre::bail!("Path is not relative: {relative_path}");
|
|
}
|
|
Component::ParentDir => {
|
|
eyre::bail!("Path attempts to escape base directory: {relative_path}");
|
|
}
|
|
Component::CurDir => {}
|
|
Component::Normal(part) => {
|
|
resolved.push(part);
|
|
|
|
if let Ok(metadata) = std::fs::symlink_metadata(&resolved)
|
|
&& metadata.file_type().is_symlink()
|
|
{
|
|
let target = std::fs::canonicalize(&resolved).wrap_err_with(|| {
|
|
format!("Failed to canonicalize symlink {}", resolved.display())
|
|
})?;
|
|
|
|
if !target.starts_with(&canonical_base) {
|
|
eyre::bail!(
|
|
"Path validation failed: {relative_path} escapes the base directory"
|
|
);
|
|
}
|
|
|
|
resolved = target;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if !resolved.starts_with(&canonical_base) {
|
|
eyre::bail!("Path validation failed: {relative_path} escapes the base directory");
|
|
}
|
|
|
|
Ok(resolved)
|
|
}
|
|
|
|
/// Validates a relative path that will be used for accessing files within a game directory.
|
|
/// This is a stricter validation that ensures the path is relative and doesn't escape.
|
|
///
|
|
/// # Errors
|
|
/// Returns an error if the path is absolute or attempts directory traversal.
|
|
pub fn validate_game_file_path(game_dir: &Path, relative_path: &str) -> eyre::Result<PathBuf> {
|
|
validate_relative_path(game_dir, relative_path)
|
|
}
|
|
|
|
#[cfg(test)]
|
|
mod tests {
|
|
use super::*;
|
|
|
|
fn create_temp_dir() -> std::io::Result<std::path::PathBuf> {
|
|
let mut dir = std::env::temp_dir();
|
|
let unique = format!(
|
|
"lanspread_test_{}_{}",
|
|
std::process::id(),
|
|
std::time::SystemTime::now()
|
|
.duration_since(std::time::UNIX_EPOCH)
|
|
.unwrap_or_default()
|
|
.as_nanos()
|
|
);
|
|
dir.push(unique);
|
|
std::fs::create_dir_all(&dir)?;
|
|
Ok(dir)
|
|
}
|
|
|
|
struct TempDir(std::path::PathBuf);
|
|
|
|
impl TempDir {
|
|
fn new() -> std::io::Result<Self> {
|
|
let path = create_temp_dir()?;
|
|
Ok(TempDir(path))
|
|
}
|
|
|
|
fn path(&self) -> &std::path::Path {
|
|
&self.0
|
|
}
|
|
}
|
|
|
|
impl Drop for TempDir {
|
|
fn drop(&mut self) {
|
|
let _ = std::fs::remove_dir_all(&self.0);
|
|
}
|
|
}
|
|
|
|
#[test]
|
|
fn test_valid_paths() {
|
|
let temp_dir = TempDir::new().expect("Failed to create temp dir for test");
|
|
let base = temp_dir.path();
|
|
|
|
// Valid relative paths
|
|
assert!(validate_game_file_path(base, "file.txt").is_ok());
|
|
assert!(validate_game_file_path(base, "subdir/file.txt").is_ok());
|
|
assert!(validate_game_file_path(base, "subdir/deep/nested/file.txt").is_ok());
|
|
assert!(validate_game_file_path(base, "file with spaces.txt").is_ok());
|
|
assert!(validate_game_file_path(base, "./dot/./path.txt").is_ok());
|
|
|
|
#[allow(clippy::unwrap_used)]
|
|
let windows_style = validate_game_file_path(base, "mix\\windows\\path.txt").unwrap();
|
|
assert_eq!(
|
|
windows_style,
|
|
base.join("mix").join("windows").join("path.txt")
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn test_traversal_attempts() {
|
|
let temp_dir = TempDir::new().expect("Failed to create temp dir for test");
|
|
let base = temp_dir.path();
|
|
|
|
// These should all fail
|
|
assert!(validate_game_file_path(base, "../outside.txt").is_err());
|
|
assert!(validate_game_file_path(base, "subdir/../../outside.txt").is_err());
|
|
assert!(validate_game_file_path(base, "../../etc/passwd").is_err());
|
|
}
|
|
|
|
#[test]
|
|
fn test_double_dot_in_filename_allowed() {
|
|
let temp_dir = TempDir::new().expect("Failed to create temp dir for test");
|
|
let base = temp_dir.path();
|
|
|
|
assert!(validate_game_file_path(base, "data/file..txt").is_ok());
|
|
}
|
|
|
|
#[test]
|
|
fn test_missing_file_stays_within_base() {
|
|
let temp_dir = TempDir::new().expect("Failed to create temp dir for test");
|
|
let base = temp_dir.path();
|
|
|
|
#[allow(clippy::unwrap_used)]
|
|
let resolved = validate_game_file_path(base, "new_dir/new_file.bin").unwrap();
|
|
assert_eq!(resolved, base.join("new_dir").join("new_file.bin"));
|
|
}
|
|
|
|
#[test]
|
|
fn test_relative_base_dir_rejected() {
|
|
let relative_base = std::path::Path::new("relative/base");
|
|
assert!(validate_game_file_path(relative_base, "file.bin").is_err());
|
|
}
|
|
|
|
#[test]
|
|
fn test_absolute_paths() {
|
|
let temp_dir = TempDir::new().expect("Failed to create temp dir for test");
|
|
let base = temp_dir.path();
|
|
|
|
// Absolute paths should fail
|
|
assert!(validate_game_file_path(base, "/etc/passwd").is_err());
|
|
if cfg!(windows) {
|
|
assert!(validate_game_file_path(base, "C:\\Windows\\System32\\cmd.exe").is_err());
|
|
}
|
|
}
|
|
|
|
#[test]
|
|
fn test_windows_specific() {
|
|
let temp_dir = TempDir::new().expect("Failed to create temp dir for test");
|
|
let base = temp_dir.path();
|
|
|
|
// Windows-specific paths that should fail
|
|
assert!(validate_game_file_path(base, "C:\\evil.txt").is_err());
|
|
assert!(validate_game_file_path(base, "D:/evil.txt").is_err());
|
|
assert!(validate_game_file_path(base, "\\\\server\\share\\file.txt").is_err());
|
|
}
|
|
|
|
#[cfg(unix)]
|
|
#[test]
|
|
fn test_symlink_escape_rejected() {
|
|
use std::os::unix::fs::symlink;
|
|
|
|
let base_dir = TempDir::new().expect("Failed to create base temp dir");
|
|
let outside_dir = TempDir::new().expect("Failed to create outside temp dir");
|
|
|
|
let base = base_dir.path();
|
|
let outside = outside_dir.path();
|
|
|
|
symlink(outside, base.join("link")).expect("Failed to create symlink");
|
|
|
|
assert!(validate_game_file_path(base, "link/escape.txt").is_err());
|
|
}
|
|
}
|