~repos /rust-embed

#rust#proc-macro#http

git clone https://pyrossh.dev/repos/rust-embed.git

rust macro which loads files into the rust binary at compile time during release and loads the file from the fs during dev.

Readme
|
Commits
|
Files
47e1f89c Buckram

1 year ago 
Fixed symlinks in debug mode
Files changed (1) hide show
  1. impl/src/lib.rs +10 -1
impl/src/lib.rs CHANGED
@@ -141,7 +141,16 @@ fn dynamic(ident: &syn::Ident, folder_path: String, prefix: Option<&str>, includ
141
141
  let canonical_file_path = file_path.canonicalize().ok()?;
142
142
  if !canonical_file_path.starts_with(#canonical_folder_path) {
143
143
  // Tried to request a path that is not in the embedded folder
144
+
145
+ // Should be allowed only if it was a symlink
146
+ // TODO: Currently it allows "path_traversal_attack" for the symlink files
147
+ // For it to be working properly we need to get absolute path first
148
+ // and check that instead if it starts with `canonical_folder_path`
149
+ // https://doc.rust-lang.org/std/path/fn.absolute.html (currently nightly)
150
+ let metadata = ::std::fs::metadata(file_path.as_path()).ok()?;
151
+ if !metadata.is_symlink() {
144
- return ::std::option::Option::None;
152
+ return ::std::option::Option::None;
153
+ }
145
154
  }
146
155
 
147
156
  if rust_embed::utils::is_path_included(&rel_file_path, INCLUDES, EXCLUDES) {