From 8d514e8bebeaa73393450fc386c01aec35bfe8a4 Mon Sep 17 00:00:00 2001
From: adeadfed <maksym.vatsyk17@gmail.com>
Date: Mon, 24 Jul 2023 18:41:23 +0200
Subject: [PATCH 1/2] use fs canonicalize to prevent path traversal

---
 src/cmd/serve.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/cmd/serve.rs b/src/cmd/serve.rs
index 52b1d585b9..e102e90d0e 100644
--- a/src/cmd/serve.rs
+++ b/src/cmd/serve.rs
@@ -116,6 +116,14 @@ async fn handle_request(req: Request<Body>, mut root: PathBuf) -> Result<Respons
     // otherwise `PathBuf` will interpret it as an absolute path
     root.push(&decoded[1..]);
 
+    // Resolve the root + user supplied path into the absolute path
+    // this should hopefully remove any path traversals
+    // if we fail to resolve path, we should return 404
+    root = match tokio::fs::canonicalize(&root).await {
+        Ok(d) => d,
+        Err(_) => return Ok(not_found())
+    };
+    
     // Ensure we are only looking for things in our public folder
     if !root.starts_with(original_root) {
         return Ok(not_found());

From 219fe9bed1d2aae5c6b57b2017cce8956ce62cf7 Mon Sep 17 00:00:00 2001
From: Maksym Vatsyk <maksym.vatsyk17@gmail.com>
Date: Mon, 24 Jul 2023 23:38:47 +0200
Subject: [PATCH 2/2] fix cargo fmt

---
 src/cmd/serve.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/cmd/serve.rs b/src/cmd/serve.rs
index e102e90d0e..a6e906cb0e 100644
--- a/src/cmd/serve.rs
+++ b/src/cmd/serve.rs
@@ -121,9 +121,9 @@ async fn handle_request(req: Request<Body>, mut root: PathBuf) -> Result<Respons
     // if we fail to resolve path, we should return 404
     root = match tokio::fs::canonicalize(&root).await {
         Ok(d) => d,
-        Err(_) => return Ok(not_found())
+        Err(_) => return Ok(not_found()),
     };
-    
+
     // Ensure we are only looking for things in our public folder
     if !root.starts_with(original_root) {
         return Ok(not_found());