From 5efb2e38ec4e4cd51ecaff7537edf1f32d54edd3 Mon Sep 17 00:00:00 2001
From: Sven Seeberg <mail@sven-seeberg.de>
Date: Thu, 9 Jan 2025 10:19:01 +0100
Subject: [PATCH] Prevent inclusion of files from parent dirs

---
 backend/src/main.rs | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/backend/src/main.rs b/backend/src/main.rs
index 0d4b886..3ece888 100644
--- a/backend/src/main.rs
+++ b/backend/src/main.rs
@@ -80,7 +80,16 @@ async fn main() -> std::io::Result<()> {
 }
 
 async fn index(req: HttpRequest) -> Result<HttpResponse, CompatErr> {
-    let path = webpage_path().join(req.match_info().query("filename"));
+    let base_path = webpage_path();
+    let filename = req.match_info().query("filename");
+    let path = base_path.join(filename);
+    let canonical_path = path.canonicalize().map_err(|e| {
+        error!("Error while canonicalizing path: {}", e);
+        CompatErr::from(SpecialErrors::InvalidPath)
+    })?;
+    if !canonical_path.starts_with(base_path) {
+        return Err(CompatErr::from(SpecialErrors::AccessDenied));
+    }
     for file in &["", "index.html"] {
         let path = if file.is_empty() {
             path.to_owned()