Update dependencies, disable registration and improve path handling

2021-02-02 13:57:51 -05:00
parent acad71701e
commit f20a8a5842
5 changed files with 328 additions and 291 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -7,15 +7,16 @@ edition = "2018"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

 [dependencies]
-actix-web = "3.0"
-actix-rt = "1.0"
-actix-files = "0.3.0"
+actix-web = "3"
+actix-rt = "1"
+actix-files = "0.4"
 actix-multipart = "0.3.0"
+actix-cors="0.5"
 futures = "0.3.5"
 jsonwebtoken = "7.2.0"
-serde = "1.0"
-serde_json = "1.0"
-diesel = { version = "1.4.4", features = ["sqlite"] }
+serde = "1"
+serde_json = "1"
+diesel = { version = "1.4.5", features = ["sqlite"] }
 hmac = "0.7.1"
 sha2 = "0.8.2"
 chrono = "0.4.11"
--- a/src/data/mod.rs
+++ b/src/data/mod.rs
@@ -1,10 +1,11 @@
-use actix_web::error::ErrorUnauthorized;
-use actix_web::{dev, http::header, Error, FromRequest, HttpRequest};
-use futures::future::{err, ok, Ready};
-use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
-use serde::{Deserialize, Serialize};
 use std::str::FromStr;

+use actix_web::{dev, Error, FromRequest, http::header, HttpRequest};
+use actix_web::error::ErrorUnauthorized;
+use futures::future::{err, ok, Ready};
+use jsonwebtoken::{Algorithm, decode, DecodingKey, Validation};
+use serde::{Deserialize, Serialize};
+
 #[derive(Serialize)]
 pub struct Token<'a> {
    pub token: &'a str,
@@ -17,7 +18,7 @@ pub struct Claims {
 }

 pub fn secret_key() -> String {
-    dotenv::var("SECRET_KEY").unwrap()
+    dotenv::var("SECRET_KEY").expect("SECRET_KEY env not set!")
 }

 impl FromStr for Claims {
--- a/src/files.rs
+++ b/src/files.rs
@@ -1,9 +1,11 @@
-use path_absolutize::*;
 use std::ffi::OsStr;
 use std::fs::read_dir;
 use std::io;
+use std::io::Error;
 use std::path::{Path, PathBuf};

+use path_absolutize::*;
+
 pub fn list_files(dir: PathBuf) -> io::Result<Vec<PathBuf>> {
    let files = read_dir(dir)?
        .map(|res| res.unwrap())
@@ -43,44 +45,37 @@ pub fn is_valid_path(path: &str) -> Option<PathBuf> {
 }

 fn is_valid_full_path(base: &Path, path: &str) -> Option<PathBuf> {
-    let path = PathBuf::from(path);
+    let mut path = PathBuf::from(path);
    if path.is_relative() {
        let mut full_path = PathBuf::from(base);
        full_path.push(&path);
-        full_path
-            .absolutize()
-            .and_then(|p| {
-                if p.starts_with(base) {
-                    Ok(p.into_owned())
-                } else {
-                    Err(io::Error::new(
-                        io::ErrorKind::Other,
-                        "Path below base directory",
-                    ))
-                }
-            })
-            .ok()
-    } else if let Ok(path) = path.absolutize().and_then(|path| {
-        if path.starts_with(base) {
-            Ok(path.into_owned())
-        } else {
-            Err(io::Error::new(
-                io::ErrorKind::Other,
-                "Path below base directory",
-            ))
-        }
-    }) {
+        is_path_above_base_dir(base, &mut full_path).ok()
+    } else if let Ok(path) = is_path_above_base_dir(base, &mut path) {
        Some(path)
    } else {
        None
    }
 }

+fn is_path_above_base_dir(base: &Path, full_path: &mut PathBuf) -> Result<PathBuf, Error> {
+    full_path.absolutize().and_then(|p| {
+        if p.starts_with(base) {
+            Ok(p.into_owned())
+        } else {
+            Err(io::Error::new(
+                io::ErrorKind::Other,
+                "Path below base directory",
+            ))
+        }
+    })
+}
+
 #[cfg(test)]
 mod tests {
-    use super::*;
    use std::env;
-    use std::fs::{create_dir_all, File};
+    use std::fs::File;
+
+    use super::*;

    #[test]
    fn directory_traversal_test() {
@@ -104,8 +99,6 @@ mod tests {
        let path = "relative/path/test.png";
        let mut test_file = PathBuf::from(&base);
        test_file.push(path);
-        create_dir_all(test_file.parent().unwrap()).unwrap();
-        File::create(test_file).unwrap();

        assert_eq!(
            Some(PathBuf::from("/tmp/relative/path/test.png")),
@@ -125,8 +118,6 @@ mod tests {
        let path = "relative/path/test.png";
        let mut test_file = PathBuf::from(&base);
        test_file.push(path);
-        create_dir_all(test_file.parent().unwrap()).unwrap();
-        File::create(test_file).unwrap();

        assert_eq!(
            Some(PathBuf::from("/tmp/relative/path/test.png")),
--- a/src/main.rs
+++ b/src/main.rs
@@ -49,7 +49,7 @@ async fn login(creds: Json<LoginRequest>) -> impl Responder {
    if let Some(user) = get_user(&creds.username, &creds.password) {
        let claims = Claims {
            sub: user.id.to_string(),
-            exp: (Utc::now() + Duration::days(3)).timestamp(),
+            exp: (Utc::now() + Duration::days(5)).timestamp(),
        };
        let token = encode(
            &Header::default(),
@@ -287,7 +287,7 @@ async fn create_thumbnails() {
        .map(|entry| (image::open(entry.path()), entry.path().to_path_buf()))
        .filter(|(img, _)| img.is_ok())
        .map(|(img, path)| (img.unwrap(), path))
-        .map(|(image, path)| (image.thumbnail(200, 200), path))
+        .map(|(image, path)| (image.thumbnail(200, u32::MAX), path))
        .map(|(image, path)| {
            let relative_path = &path.strip_prefix(&images).unwrap();
            let thumb_path = Path::new(thumbnail_directory).join(relative_path);
@@ -332,7 +332,6 @@ async fn main() -> std::io::Result<()> {

    HttpServer::new(|| {
        App::new()
-            .service(register)
            .service(login)
            .service(list_photos)
            .service(get_image)