Make collections search safer
This commit is contained in:
@ -23,6 +23,8 @@ is-it-maintained-issue-resolution = { repository = "security" }
|
|||||||
is-it-maintained-open-issues = { repository = "security" }
|
is-it-maintained-open-issues = { repository = "security" }
|
||||||
maintenance = { status = "passively-maintained" }
|
maintenance = { status = "passively-maintained" }
|
||||||
|
|
||||||
|
# docker pull clux/muslrust:stable
|
||||||
|
# docker run -v $PWD:/volume --rm -t clux/muslrust:stable cargo build --release
|
||||||
[[bin]]
|
[[bin]]
|
||||||
name = "snow-scanner"
|
name = "snow-scanner"
|
||||||
path = "src/main.rs"
|
path = "src/main.rs"
|
||||||
@ -35,6 +37,8 @@ actix-files = "0.6.6"
|
|||||||
hmac = "0.12.1"
|
hmac = "0.12.1"
|
||||||
sha2 = "0.10.8"
|
sha2 = "0.10.8"
|
||||||
hex = "0.4.3"
|
hex = "0.4.3"
|
||||||
|
# mariadb-dev on Alpine
|
||||||
|
# "mysqlclient-src" "mysql_backend"
|
||||||
diesel = { version = "2.2.0", default-features = false, features = ["mysql", "chrono", "uuid", "r2d2"] }
|
diesel = { version = "2.2.0", default-features = false, features = ["mysql", "chrono", "uuid", "r2d2"] }
|
||||||
dns-ptr-resolver = "1.2.0"
|
dns-ptr-resolver = "1.2.0"
|
||||||
hickory-client = { version = "0.24.1", default-features = false }
|
hickory-client = { version = "0.24.1", default-features = false }
|
||||||
|
|||||||
@ -279,8 +279,31 @@ async fn handle_report(pool: web::Data<DbPool>, params: web::Form<ReportParams>)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
struct SecurePath {
|
||||||
|
pub data: String,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl<'de> Deserialize<'de> for SecurePath {
|
||||||
|
fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
|
||||||
|
where
|
||||||
|
D: Deserializer<'de>,
|
||||||
|
{
|
||||||
|
let s = <Vec<String>>::deserialize(deserializer)?;
|
||||||
|
let k: String = s[0].to_string();
|
||||||
|
// A-Z a-z 0-9
|
||||||
|
// . - _
|
||||||
|
if k.chars().all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '-' || c == '_') {
|
||||||
|
return Ok(SecurePath { data: k });
|
||||||
|
}
|
||||||
|
Err(serde::de::Error::custom(format!(
|
||||||
|
"Invalid value: {}",
|
||||||
|
k.to_string()
|
||||||
|
)))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
async fn handle_get_collection(
|
async fn handle_get_collection(
|
||||||
path: web::Path<(String, String)>,
|
path: web::Path<(SecurePath, SecurePath)>,
|
||||||
req: HttpRequest,
|
req: HttpRequest,
|
||||||
static_data_dir: actix_web::web::Data<String>,
|
static_data_dir: actix_web::web::Data<String>,
|
||||||
) -> actix_web::Result<HttpResponse> {
|
) -> actix_web::Result<HttpResponse> {
|
||||||
@ -290,8 +313,8 @@ async fn handle_get_collection(
|
|||||||
let static_data_dir: String = static_data_dir.into_inner().to_string();
|
let static_data_dir: String = static_data_dir.into_inner().to_string();
|
||||||
path.push(static_data_dir);
|
path.push(static_data_dir);
|
||||||
path.push("collections");
|
path.push("collections");
|
||||||
path.push(vendor_name.to_string());
|
path.push(vendor_name.data);
|
||||||
path.push(file_name.to_string());
|
path.push(file_name.data);
|
||||||
match NamedFile::open(path) {
|
match NamedFile::open(path) {
|
||||||
Ok(file) => Ok(file.into_response(&req)),
|
Ok(file) => Ok(file.into_response(&req)),
|
||||||
Err(err) => Ok(HttpResponse::NotFound()
|
Err(err) => Ok(HttpResponse::NotFound()
|
||||||
|
|||||||
Reference in New Issue
Block a user