Make collections search safer

2024-09-22 10:14:00 +02:00
parent bb52edc4c8
commit 43e9176b49
2 changed files with 30 additions and 3 deletions
--- a/snow-scanner/Cargo.toml
+++ b/snow-scanner/Cargo.toml
@ -23,6 +23,8 @@ is-it-maintained-issue-resolution = { repository = "security" }
 is-it-maintained-open-issues = { repository = "security" }
 maintenance = { status = "passively-maintained" }

+# docker pull clux/muslrust:stable
+#  docker run -v $PWD:/volume --rm -t clux/muslrust:stable cargo build --release
 [[bin]]
 name = "snow-scanner"
 path = "src/main.rs"
@ -35,6 +37,8 @@ actix-files = "0.6.6"
 hmac = "0.12.1"
 sha2 = "0.10.8"
 hex = "0.4.3"
+# mariadb-dev on Alpine
+# "mysqlclient-src" "mysql_backend"
 diesel = { version = "2.2.0", default-features = false, features = ["mysql", "chrono", "uuid", "r2d2"] }
 dns-ptr-resolver = "1.2.0"
 hickory-client = { version = "0.24.1", default-features = false }
--- a/snow-scanner/src/main.rs
+++ b/snow-scanner/src/main.rs
@ -279,8 +279,31 @@ async fn handle_report(pool: web::Data<DbPool>, params: web::Form<ReportParams>)
    }
 }

+struct SecurePath {
+    pub data: String,
+}
+
+impl<'de> Deserialize<'de> for SecurePath {
+    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        let s = <Vec<String>>::deserialize(deserializer)?;
+        let k: String = s[0].to_string();
+        // A-Z a-z 0-9
+        // . - _
+        if k.chars().all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '-' || c == '_') {
+            return Ok(SecurePath { data: k });
+        }
+        Err(serde::de::Error::custom(format!(
+            "Invalid value: {}",
+            k.to_string()
+        )))
+    }
+}
+
 async fn handle_get_collection(
-    path: web::Path<(String, String)>,
+    path: web::Path<(SecurePath, SecurePath)>,
    req: HttpRequest,
    static_data_dir: actix_web::web::Data<String>,
 ) -> actix_web::Result<HttpResponse> {
@ -290,8 +313,8 @@ async fn handle_get_collection(
    let static_data_dir: String = static_data_dir.into_inner().to_string();
    path.push(static_data_dir);
    path.push("collections");
-    path.push(vendor_name.to_string());
-    path.push(file_name.to_string());
+    path.push(vendor_name.data);
+    path.push(file_name.data);
    match NamedFile::open(path) {
        Ok(file) => Ok(file.into_response(&req)),
        Err(err) => Ok(HttpResponse::NotFound()