Closed TheAlgorythm closed 8 months ago
chipsenkbeil
commented
11 months ago @TheAlgorythm I'm unfamiliar with path traversal attacks. It looks like your crate supports std paths, so would it make sense to add a feature to it to support the typed-path crate as an alternative?
Otherwise, could you share a little more information regarding what the traversal attacks are and how protection could be incorporated into this crate? I'm also open to PRs, of course 😄
TheAlgorythm
commented
11 months ago A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the specified folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.
Mostly from OWASP but a bit more general.
Something like this where the pushed strings are user input:
let mut path = PathBuf::new("/tmp/my-app");
path.push("/etc/shadow"); // or
path.push("../other-app/secret");Yes, my crate is for std (btw I was a bit shocked that there was no mechanism against this attack in std).
I thought about a feature flag in mine for your crate but it would be better if it was directly integrated because of the security-by-default-principle.
chipsenkbeil
commented
8 months ago
It would be great if this crate would support a protection against path traversal attacks. Ideally it would be by a generic wrapper type like I did with my crate path_ratchet.