From fdd70f4238cc4ef2ccfc6d7921b23ff474ac0777 Mon Sep 17 00:00:00 2001 From: Sven-Hendrik Haase Date: Sun, 7 Mar 2021 02:38:04 +0100 Subject: Fix DoS issue when deliberately sending unconforming URL paths --- src/listing.rs | 2 +- tests/navigation.rs | 30 ++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/src/listing.rs b/src/listing.rs index e28ee76..b46dded 100644 --- a/src/listing.rs +++ b/src/listing.rs @@ -214,7 +214,7 @@ pub fn directory_listing( link_accumulator .push_str(&(utf8_percent_encode(&name, FRAGMENT).to_string() + "/")); } - _ => unreachable!(), + _ => name = "".to_string(), }; res.push(Breadcrumb::new( diff --git a/tests/navigation.rs b/tests/navigation.rs index 0826aa0..3d8f37f 100644 --- a/tests/navigation.rs +++ b/tests/navigation.rs @@ -35,6 +35,36 @@ fn index_gets_trailing_slash(tmpdir: TempDir, port: u16) -> Result<(), Error> { Ok(()) } +#[rstest] +/// Can't navigate up the root. +fn cant_navigate_up_the_root(tmpdir: TempDir, port: u16) -> Result<(), Error> { + let mut child = Command::cargo_bin("miniserve")? + .arg("-p") + .arg(port.to_string()) + .arg(tmpdir.path()) + .stdout(Stdio::null()) + .spawn()?; + + sleep(Duration::from_secs(1)); + + // We're using curl for this as it has the option `--path-as-is` which doesn't normalize + // invalid urls. A useful feature in this particular case. + let base_url = Url::parse(&format!("http://localhost:{}", port))?; + let curl_successful = Command::new("curl") + .arg("-s") + .arg("--fail") + .arg("--path-as-is") + .arg(format!("{}/../", base_url)) + .stdout(Stdio::null()) + .status()? + .success(); + assert!(curl_successful); + + child.kill()?; + + Ok(()) +} + #[rstest] /// We can navigate into directories and back using shown links. fn can_navigate_into_dirs_and_back(tmpdir: TempDir, port: u16) -> Result<(), Error> { -- cgit v1.2.3