Use Absolutize for files that do not exist

Canonicalize relies on the file existing to resolve the potential traversal, which won't work for file upload in case the file name has a traversal inside it.
2020-10-17 19:22:55 -04:00
parent 6c9c80f61d
commit eccb45ced0
4 changed files with 29 additions and 16 deletions
--- a/src/main.rs
+++ b/src/main.rs
@@ -153,13 +153,8 @@ async fn upload_image(_: Claims, mut payload: mp::Multipart) -> impl Responder {

    let path = file_path.unwrap_or_else(|| dotenv::var("BASE_PATH").unwrap());
    if !file_content.is_empty() {
-        let full_path = PathBuf::from(&path);
-
-        if let Some(mut full_path) = is_valid_path(full_path.to_str().unwrap_or("")) {
-            // TODO: Validate this file_name as is subject to path traversals which could lead to
-            // writing outside the base dir.
-            full_path = full_path.join(file_name.unwrap());
-
+        let full_path = PathBuf::from(&path).join(file_name.unwrap());
+        if let Some(full_path) = is_valid_path(full_path.to_str().unwrap_or("")) {
            if !full_path.is_file() {
                let mut file = File::create(full_path).unwrap();
                file.write_all(&file_content).unwrap();
@@ -206,8 +201,7 @@ async fn stream_video(
    // Extract video playlist dir to dotenv
    if !playlist.starts_with("tmp") || playlist.contains("..") {
        HttpResponse::NotFound().finish()
-    }
-    else if let Ok(file) = NamedFile::open(playlist) {
+    } else if let Ok(file) = NamedFile::open(playlist) {
        file.into_response(&request).unwrap()
    } else {
        HttpResponse::NotFound().finish()