path_trav
| Crates.io | path_trav |
| lib.rs | path_trav |
| version | 2.0.1 |
| created_at | 2022-11-21 20:14:37.564584+00 |
| updated_at | 2025-02-03 08:22:39.147825+00 |
| description | A simple path traversal checker. Useful for APIs that serve dynamic files. |
| homepage | |
| repository | https://github.com/gatomod/path_trav |
| max_upload_size | |
| id | 720376 |
| size | 21,345 |
Gátomo (gatomod)
documentation
README
Path trav
A simple path traversal checker made with Rust. Useful for APIs that serve dynamic files.
Note: this is a security tool. If you see something wrong, please, read the security policy.
How it works?
The is_path_trav function is implemented in std::path::Path. It receives two paths, the base path and the path to check.
To verify if the second is inside the first, path_trav turn paths into absolute and check if the second route contains the first.
Example 1.
Base : /home/user/data --> /home/user/data
Rel : ./data/folder --> */home/user/data/folder*
Relative path is inside base path.
Example 2.
Base : /home/user/data --> /home/user/data
Rel : ./data/../../../etc/passwd --> /etc/passwd
Relative path isn't inside base path, it's trying to access sensitive data
Examples
First, add path_trav to your Cargo.toml
[dependencies]
path_trav = "2"
Then, on your main.rs file
use std::path::Path;
use path_trav::*;
fn main() {
let server_folder = Path::new("./");
let server_file = Path::new("./tests/test.rs");
let important_file = Path::new("~/../../etc/passwd");
let non_existent_file = Path::new("../weird_file");
// Path is inside server_folder (Ok)
assert_eq!(Ok(false), server_folder.is_path_trav(&server_file));
// Path tries to access sensitive data (Path Traversal detected)
assert_eq!(Ok(true), server_folder.is_path_trav(&important_file));
// File does not exists (ENOENT)
assert_eq!(Err(ErrorKind::NotFound), server_folder.is_path_trav(&non_existent_file));
}
is_path_trav returns Result<bool, std::io::ErrorKind>. If returns true, there are path traversal.
Note: You can use it with PathBuf
use std::path:PathBuf
let server_folder = PathBuf::from("./");
let server_file = PathBuf::from("./tests/test.rs");
assert_eq!(Ok(false), server_folder.is_path_trav(&server_file));
Tests
There are a few integration tests in /tests folder where you can check the Path Trav behavior.
License
path_trav is licensed under the Apache 2.0 license.
Contribute
🥳 Any PR is welcome! Path Trav is a small project, so please follow the code style and avoid making insane proposals.
Gátomo - Apache 2.0 License