From 8eb751c1a869d243753a2005817f29b4e63f76bd Mon Sep 17 00:00:00 2001
From: Maksym Vatsyk <54282598+adeadfed@users.noreply.github.com>
Date: Fri, 4 Aug 2023 22:56:42 +0200
Subject: [PATCH] Fix LFI in `zola serve` (#2258)

* use fs canonicalize to prevent path traversal

* fix cargo fmt
---
 src/cmd/serve.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/cmd/serve.rs b/src/cmd/serve.rs
index 52b1d585b9..a6e906cb0e 100644
--- a/src/cmd/serve.rs
+++ b/src/cmd/serve.rs
@@ -116,6 +116,14 @@ async fn handle_request(req: Request<Body>, mut root: PathBuf) -> Result<Respons
     // otherwise `PathBuf` will interpret it as an absolute path
     root.push(&decoded[1..]);
 
+    // Resolve the root + user supplied path into the absolute path
+    // this should hopefully remove any path traversals
+    // if we fail to resolve path, we should return 404
+    root = match tokio::fs::canonicalize(&root).await {
+        Ok(d) => d,
+        Err(_) => return Ok(not_found()),
+    };
+
     // Ensure we are only looking for things in our public folder
     if !root.starts_with(original_root) {
         return Ok(not_found());