Skip to content

Latest commit

 

History

History
88 lines (62 loc) · 3.48 KB

README.md

File metadata and controls

88 lines (62 loc) · 3.48 KB

Path trav

A simple path traversal checker made with Rust. Useful for APIs that serve dynamic files.


license crates.io docs.rs discord


Note: this is a security tool. If you see something wrong, open an issue in GitHub.

How it works?

The is_path_trav function is implemented in std::path::Path. It receives two paths, the base path and the path to check. To verify if the second is inside the first, path_trav turn paths into absolute and check if the second route contains the first.

Example 1.

Base  : /home/user/data   -->  /home/user/data

Rel     : ./data/folder          -->  /home/user/data/folder

Relative path is inside base path.

Example 2.

Base  : /home/user/data              -->  /home/user/data

Rel     : ./data/../../../etc/passwd   -->  /etc/passwd

Relative path isn't inside base path, tries to access sensitive data

Examples

First, add path_trav to your Cargo.toml

[dependencies]
path_trav = "2.0.0"

Then, on your main.rs file

use std::path::Path;
use path_trav::*;

fn main() {
    let server_folder       = Path::new("./");
    let server_file         = Path::new("./tests/test.rs");
    let important_file      = Path::new("~/../../etc/passwd");
    let non_existent_file   = Path::new("../weird_file");

    // Path is inside server_folder (Ok)
    assert_eq!(Ok(false), server_folder.is_path_trav(&server_file));

    // Path tries to access sensitive data (Path Traversal detected)
    assert_eq!(Ok(true), server_folder.is_path_trav(&important_file));

    // File does not exists (ENOENT)
    assert_eq!(Err(ErrorKind::NotFound), server_folder.is_path_trav(&non_existent_file));
}

is_path_trav returns Result<bool, std::io::ErrorKind>. Unwrap it or use match to get the result. If returns true, there are path traversal.

Note: You can use it with PathBuf

use std::path:PathBuf

let server_folder   = PathBuf::from("./");
let server_file     = PathBuf::from("./tests/test.rs");

assert_eq!(Ok(false), server_folder.is_path_trav(&server_file));

Tests

There are a few integration tests in /tests folder where you can check the Path Trav behavior.

License

path_trav is licensed under the Apache 2.0 license.

Contribute

🥳 Any PR is welcome! Is a small project, so the guideline is to follow the code style and not make insane pruposes.

Links

Gátomo - Apache 2.0 License