sonatype-2021-4646 about rust-embed HOT 9 CLOSED

I think the confusion was that 6.2.0 of the main crate did have the bug (according to the changelog), but it was fixed in the 6.2.0 version of the impl crate.

from rust-embed.

[sonatype-2021-4646] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

rust-embed-impl - Path Traversal

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

from rust-embed.

Hmm I don't know if the typical scenario ../../../etc/passwd applies here as well since we don't have a filesystem here. But I guess we could normalize the input . I'm guessing this vulnerability happens or is exposed during development as that is when we use the filesystem to serve the files.

Any ideas, should we normalize the input path and remove ../../ at the beginning in this case?
@AzureMarker

from rust-embed.

Maybe check if canonical path starts with crate root? If not, reject it.

from rust-embed.

I thought we already patched this?

from rust-embed.

Yep just saw the code. It was implemented by you in this commit e1720ce

from rust-embed.

Can it just be that they have to recheck the project again? Maybe you should try to contact them as maintainers.

from rust-embed.

@pyrossh I think the issue is that we didn't release the impl crate for the last two versions. It's still on 6.2.0:

Edit: That or they mixed up the impl vs main crate versions.

from rust-embed.

@AzureMarker the latest impl crate version is v6.2.0. The crate versions don't need to match. I tried it myself and got the same. I have added a pants-ignore file for this vulnerability. We actually fixed this issue and published it for v6.2.0 of the impl crate.
6aafae6

from rust-embed.