rust-embed

rust macro which loads files into the rust binary at compile time during release and loads the file from the fs during dev.

e7c5447d — Buckram

add todo

Files changed (1) hide show

impl/src/lib.rs CHANGED Viewed

@@ -142,6 +142,10 @@ fn dynamic(ident: &syn::Ident, folder_path: String, prefix: Option<&str>, includ
               if !canonical_file_path.starts_with(#canonical_folder_path) {
                   // Tried to request a path that is not in the embedded folder
+                  // TODO: Currently it allows "path_traversal_attack" for the symlink files
+                  // For it to be working properly we need to get absolute path first
+                  // and check that instead if it starts with `canonical_folder_path`
+                  // https://doc.rust-lang.org/std/path/fn.absolute.html (currently nightly)
                   // Should be allowed only if it was a symlink
                   let metadata = ::std::fs::symlink_metadata(file_path.as_path()).ok()?;
                   if !metadata.is_symlink() {