Note: this is a security tool. If you see something wrong, open an issue in GitHub.
The is_path_trav function is implemented in std::path::Path. It receives two paths, the base path and the path to check.
To verify if the second is inside the first, path_trav turn paths into absolute and check if the second route contains the first.
Base : /home/user/data --> /home/user/data
Rel : ./data/folder --> /home/user/data/folder
Relative path is inside base path.
Base : /home/user/data --> /home/user/data
Rel : ./data/../../../etc/passwd --> /etc/passwd
Relative path isn't inside base path, tries to access sensitive data
First, add path_trav to your Cargo.toml
toml
[dependencies]
path_trav = "2.0.0"
Then, on your main.rs file ```rust use std::path::Path; use path_trav::*;
fn main() { let serverfolder = Path::new("./"); let serverfile = Path::new("./tests/test.rs"); let importantfile = Path::new("~/../../etc/passwd"); let nonexistentfile = Path::new("../weirdfile");
// Path is inside server_folder (Ok)
assert_eq!(Ok(false), server_folder.is_path_trav(&server_file));
// Path tries to acces sensitive data (Path Traversal detected)
assert_eq!(Ok(true), server_folder.is_path_trav(&important_file));
// File does not exists (ENOENT)
assert_eq!(Err(ErrorKind::NotFound), server_folder.is_path_trav(&non_existent_file));
}
```
is_path_trav returns Result<bool, std::io::ErrorKind>. Unwrap it or use match to get the result. If returns true, there are path traversal.
Note: You can use it with PathBuf
```rust
use std::path:PathBuf
let serverfolder = PathBuf::from("./"); let serverfile = PathBuf::from("./tests/test.rs");
asserteq!(Ok(false), serverfolder.ispathtrav(&server_file)); ```
There are a few integration tests in /tests folder where you can check the Path Trav behavior.
path_trav is licensed under the Apache 2.0 license.
🥳 Any PR is welcome! Is a small project, so the guideline is to follow the code style and not make insane pruposes.
Gátomo - Apache 2.0 License