Update dependencies, disable registration and improve path handling
This commit is contained in:
Cameron Cordes
@@ -1,10 +1,11 @@
|
||||
use actix_web::error::ErrorUnauthorized;
|
||||
use actix_web::{dev, http::header, Error, FromRequest, HttpRequest};
|
||||
use futures::future::{err, ok, Ready};
|
||||
use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
|
||||
use serde::{Deserialize, Serialize};
|
||||
use std::str::FromStr;
|
||||
|
||||
use actix_web::{dev, Error, FromRequest, http::header, HttpRequest};
|
||||
use actix_web::error::ErrorUnauthorized;
|
||||
use futures::future::{err, ok, Ready};
|
||||
use jsonwebtoken::{Algorithm, decode, DecodingKey, Validation};
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
#[derive(Serialize)]
|
||||
pub struct Token<'a> {
|
||||
pub token: &'a str,
|
||||
@@ -17,7 +18,7 @@ pub struct Claims {
|
||||
}
|
||||
|
||||
pub fn secret_key() -> String {
|
||||
dotenv::var("SECRET_KEY").unwrap()
|
||||
dotenv::var("SECRET_KEY").expect("SECRET_KEY env not set!")
|
||||
}
|
||||
|
||||
impl FromStr for Claims {
|
||||
|
||||
53
src/files.rs
53
src/files.rs
@@ -1,9 +1,11 @@
|
||||
use path_absolutize::*;
|
||||
use std::ffi::OsStr;
|
||||
use std::fs::read_dir;
|
||||
use std::io;
|
||||
use std::io::Error;
|
||||
use std::path::{Path, PathBuf};
|
||||
|
||||
use path_absolutize::*;
|
||||
|
||||
pub fn list_files(dir: PathBuf) -> io::Result<Vec<PathBuf>> {
|
||||
let files = read_dir(dir)?
|
||||
.map(|res| res.unwrap())
|
||||
@@ -43,44 +45,37 @@ pub fn is_valid_path(path: &str) -> Option<PathBuf> {
|
||||
}
|
||||
|
||||
fn is_valid_full_path(base: &Path, path: &str) -> Option<PathBuf> {
|
||||
let path = PathBuf::from(path);
|
||||
let mut path = PathBuf::from(path);
|
||||
if path.is_relative() {
|
||||
let mut full_path = PathBuf::from(base);
|
||||
full_path.push(&path);
|
||||
full_path
|
||||
.absolutize()
|
||||
.and_then(|p| {
|
||||
if p.starts_with(base) {
|
||||
Ok(p.into_owned())
|
||||
} else {
|
||||
Err(io::Error::new(
|
||||
io::ErrorKind::Other,
|
||||
"Path below base directory",
|
||||
))
|
||||
}
|
||||
})
|
||||
.ok()
|
||||
} else if let Ok(path) = path.absolutize().and_then(|path| {
|
||||
if path.starts_with(base) {
|
||||
Ok(path.into_owned())
|
||||
} else {
|
||||
Err(io::Error::new(
|
||||
io::ErrorKind::Other,
|
||||
"Path below base directory",
|
||||
))
|
||||
}
|
||||
}) {
|
||||
is_path_above_base_dir(base, &mut full_path).ok()
|
||||
} else if let Ok(path) = is_path_above_base_dir(base, &mut path) {
|
||||
Some(path)
|
||||
} else {
|
||||
None
|
||||
}
|
||||
}
|
||||
|
||||
fn is_path_above_base_dir(base: &Path, full_path: &mut PathBuf) -> Result<PathBuf, Error> {
|
||||
full_path.absolutize().and_then(|p| {
|
||||
if p.starts_with(base) {
|
||||
Ok(p.into_owned())
|
||||
} else {
|
||||
Err(io::Error::new(
|
||||
io::ErrorKind::Other,
|
||||
"Path below base directory",
|
||||
))
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::*;
|
||||
use std::env;
|
||||
use std::fs::{create_dir_all, File};
|
||||
use std::fs::File;
|
||||
|
||||
use super::*;
|
||||
|
||||
#[test]
|
||||
fn directory_traversal_test() {
|
||||
@@ -104,8 +99,6 @@ mod tests {
|
||||
let path = "relative/path/test.png";
|
||||
let mut test_file = PathBuf::from(&base);
|
||||
test_file.push(path);
|
||||
create_dir_all(test_file.parent().unwrap()).unwrap();
|
||||
File::create(test_file).unwrap();
|
||||
|
||||
assert_eq!(
|
||||
Some(PathBuf::from("/tmp/relative/path/test.png")),
|
||||
@@ -125,8 +118,6 @@ mod tests {
|
||||
let path = "relative/path/test.png";
|
||||
let mut test_file = PathBuf::from(&base);
|
||||
test_file.push(path);
|
||||
create_dir_all(test_file.parent().unwrap()).unwrap();
|
||||
File::create(test_file).unwrap();
|
||||
|
||||
assert_eq!(
|
||||
Some(PathBuf::from("/tmp/relative/path/test.png")),
|
||||
|
||||
@@ -49,7 +49,7 @@ async fn login(creds: Json<LoginRequest>) -> impl Responder {
|
||||
if let Some(user) = get_user(&creds.username, &creds.password) {
|
||||
let claims = Claims {
|
||||
sub: user.id.to_string(),
|
||||
exp: (Utc::now() + Duration::days(3)).timestamp(),
|
||||
exp: (Utc::now() + Duration::days(5)).timestamp(),
|
||||
};
|
||||
let token = encode(
|
||||
&Header::default(),
|
||||
@@ -287,7 +287,7 @@ async fn create_thumbnails() {
|
||||
.map(|entry| (image::open(entry.path()), entry.path().to_path_buf()))
|
||||
.filter(|(img, _)| img.is_ok())
|
||||
.map(|(img, path)| (img.unwrap(), path))
|
||||
.map(|(image, path)| (image.thumbnail(200, 200), path))
|
||||
.map(|(image, path)| (image.thumbnail(200, u32::MAX), path))
|
||||
.map(|(image, path)| {
|
||||
let relative_path = &path.strip_prefix(&images).unwrap();
|
||||
let thumb_path = Path::new(thumbnail_directory).join(relative_path);
|
||||
@@ -332,7 +332,6 @@ async fn main() -> std::io::Result<()> {
|
||||
|
||||
HttpServer::new(|| {
|
||||
App::new()
|
||||
.service(register)
|
||||
.service(login)
|
||||
.service(list_photos)
|
||||
.service(get_image)
|
||||
|
||||
Reference in New Issue
Block a user