💾 Archived View for lists.flounder.online › patches › threads › 20210324203822.10854-3-johann@qwertq… captured on 2022-04-28 at 19:24:24. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
From: johann@qwertqwefsday.eu
Date: Wed, 24 Mar 2021 21:38:22 +0100
Message-Id: 20210324203822.10854-3-johann@qwertqwefsday.eu
To: <~aw/patches@lists.sr.ht>
In-Reply-To: 20210324203822.10854-1-johann@qwertqwefsday.eu
Cc: "Johann150" <johann@qwertqwefsday.eu>
--------------------------------------
From: Johann150 <johann@qwertqwefsday.eu>
Check for the export file and also improve path traversal protection:
Do not just check if the path contains .. but instead check that the
resulting path does not leave the project root directory.
---
src/main.rs | 30 +++++++++++++++++++++++-------
1 file changed, 23 insertions(+), 7 deletions(-)
diff --git a/src/main.rs b/src/main.rs
index 87fe0ca..c5cb8cd 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -133,18 +133,34 @@ fn repo_from_request(repo_name: &str) -> Result<Repository, tide::Error> {
let repo_name = percent_encoding::percent_decode_str(repo_name)
.decode_utf8_lossy()
.into_owned();
- if repo_name.contains("..") {
- // Prevent path traversal
- return Err(tide::Error::from_str(400, "Invalid name"));
- }
- // TODO: check for export_ok file
+
let repo_path = Path::new(&CONFIG.projectroot).join(repo_name);
- Repository::open(repo_path).or_else(|_| {
+
+ // prevent path traversal
+ if !repo_path.starts_with(&CONFIG.projectroot) {
+ return Err(tide::Error::from_str(
+ 403,
+ "You do not have access to this resource.",
+ ));
+ }
+
+ let repo = Repository::open(repo_path).or_else(|_| {
+ Err(tide::Error::from_str(
+ 404,
+ "This repository does not exist.",
+ ))
+ })?;
+
+ if !repo.path().join(&CONFIG.export_ok).exists() {
+ // outside users should not be able to tell the difference between
+ // nonexistent and existing but forbidden repos, so not using 403
Err(tide::Error::from_str(
404,
"This repository does not exist.",
))
- })
+ } else {
+ Ok(repo)
+ }
}
async fn repo_home(req: Request<()>) -> tide::Result {
--
2.20.1