prevent traversal request

2026-03-31 16:55:29 +00:00 · 2026-03-19 20:26:54 +02:00 · 2026-03-19 20:26:54 +02:00 · 694110583f
commit 694110583f
parent b141bdcf8c
1 changed files with 7 additions and 2 deletions
--- a/src/main.rs
+++ b/src/main.rs
@ -193,13 +193,18 @@ fn main() -> Result<()> {
                            let path_source = {
                                let mut p = PathBuf::from(&config.upload);
                                p.push(upload);
-                                p
+                                p.canonicalize()?
                            };
                            let path_target = {
                                let mut p = PathBuf::from(&config.target);
                                p.push(upload);
-                                p
+                                p.canonicalize()?
                            };
+
+                            // prevent traversal request
+                            assert!(path_source.starts_with(&config.upload));
+                            assert!(path_target.starts_with(&config.target));
+
                            let path_parent = path_target.parent().unwrap();

                            create_dir_all(path_parent)?;