Skip to content

Commit

Permalink
Merge pull request #235 from Buckram123/symlinks-does-not-work-in-debug
Browse files Browse the repository at this point in the history
Symbolic links in debug mode
  • Loading branch information
pyrossh authored Feb 25, 2024
2 parents ed8faec + 23c8cbf commit 02469a4
Show file tree
Hide file tree
Showing 6 changed files with 45 additions and 7 deletions.
1 change: 1 addition & 0 deletions examples/public/symlinks/main.js
11 changes: 10 additions & 1 deletion impl/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,16 @@ fn dynamic(ident: &syn::Ident, folder_path: String, prefix: Option<&str>, includ
let canonical_file_path = file_path.canonicalize().ok()?;
if !canonical_file_path.starts_with(#canonical_folder_path) {
// Tried to request a path that is not in the embedded folder
return ::std::option::Option::None;

// TODO: Currently it allows "path_traversal_attack" for the symlink files
// For it to be working properly we need to get absolute path first
// and check that instead if it starts with `canonical_folder_path`
// https://doc.rust-lang.org/std/path/fn.absolute.html (currently nightly)
// Should be allowed only if it was a symlink
let metadata = ::std::fs::symlink_metadata(file_path.as_path()).ok()?;
if !metadata.is_symlink() {
return ::std::option::Option::None;
}
}

if rust_embed::utils::is_path_included(&rel_file_path, INCLUDES, EXCLUDES) {
Expand Down
18 changes: 16 additions & 2 deletions tests/include_exclude.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ fn get_works() {
assert!(AllAssets::get("index.html").is_some(), "index.html should exist");
assert!(AllAssets::get("gg.html").is_none(), "gg.html should not exist");
assert!(AllAssets::get("images/llama.png").is_some(), "llama.png should exist");
assert_eq!(AllAssets::iter().count(), 6);
assert!(AllAssets::get("symlinks/main.js").is_some(), "main.js should exist");
assert_eq!(AllAssets::iter().count(), 7);
}

#[derive(RustEmbed)]
Expand All @@ -36,8 +37,9 @@ struct ExcludeSomeAssets;
fn excluding_some_assets_works() {
assert!(ExcludeSomeAssets::get("index.html").is_none(), "index.html should not exist");
assert!(ExcludeSomeAssets::get("main.js").is_some(), "main.js should exist");
assert!(ExcludeSomeAssets::get("symlinks/main.js").is_some(), "main.js symlink should exist");
assert!(ExcludeSomeAssets::get("images/llama.png").is_none(), "llama.png should not exist");
assert_eq!(ExcludeSomeAssets::iter().count(), 2);
assert_eq!(ExcludeSomeAssets::iter().count(), 3);
}

#[derive(RustEmbed)]
Expand All @@ -52,3 +54,15 @@ fn exclude_has_higher_priority() {
assert!(ExcludePriorityAssets::get("images/llama.png").is_some(), "llama.png should exist");
assert_eq!(ExcludePriorityAssets::iter().count(), 2);
}

#[derive(RustEmbed)]
#[folder = "examples/public/symlinks"]
#[include = "main.js"]
struct IncludeSymlink;

#[test]
fn include_symlink() {
assert_eq!(IncludeSymlink::iter().count(), 1);
assert_eq!(IncludeSymlink::iter().next(), Some(std::borrow::Cow::Borrowed("main.js")));
assert!(IncludeSymlink::get("main.js").is_some())
}
4 changes: 2 additions & 2 deletions tests/interpolated_path.rs
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ fn iter_works() {
assert!(Asset::get(file.as_ref()).is_some());
num_files += 1;
}
assert_eq!(num_files, 6);
assert_eq!(num_files, 7);
}

#[test]
Expand All @@ -32,6 +32,6 @@ fn trait_works_generic_helper<E: rust_embed::RustEmbed>() {
assert!(E::get(file.as_ref()).is_some());
num_files += 1;
}
assert_eq!(num_files, 6);
assert_eq!(num_files, 7);
assert!(E::get("gg.html").is_none(), "gg.html should not exist");
}
4 changes: 2 additions & 2 deletions tests/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ fn iter_works() {
assert!(Asset::get(file.as_ref()).is_some());
num_files += 1;
}
assert_eq!(num_files, 6);
assert_eq!(num_files, 7);
}

#[test]
Expand All @@ -41,6 +41,6 @@ fn trait_works_generic_helper<E: rust_embed::RustEmbed>() {
assert!(E::get(file.as_ref()).is_some());
num_files += 1;
}
assert_eq!(num_files, 6);
assert_eq!(num_files, 7);
assert!(E::get("gg.html").is_none(), "gg.html should not exist");
}
14 changes: 14 additions & 0 deletions tests/path_traversal_attack.rs
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,17 @@ struct Assets;
fn path_traversal_attack_fails() {
assert!(Assets::get("../basic.rs").is_none());
}

#[derive(RustEmbed)]
#[folder = "examples/axum-spa/"]
struct AxumAssets;

// TODO:
/// Prevent attempts to access symlinks outside of the embedded folder.
/// This is mainly a concern when running in debug mode, since that loads from
/// the file system at runtime.
#[test]
#[ignore = "see https://github.com/pyrossh/rust-embed/pull/235"]
fn path_traversal_attack_symlink_fails() {
assert!(Assets::get("../public/symlinks/main.js").is_none());
}

0 comments on commit 02469a4

Please sign in to comment.