Comments (9)
I think the confusion was that 6.2.0 of the main crate did have the bug (according to the changelog), but it was fixed in the 6.2.0 version of the impl crate.
from rust-embed.
[sonatype-2021-4646] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
rust-embed-impl - Path Traversal
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
from rust-embed.
Hmm I don't know if the typical scenario ../../../etc/passwd
applies here as well since we don't have a filesystem here. But I guess we could normalize the input . I'm guessing this vulnerability happens or is exposed during development as that is when we use the filesystem to serve the files.
Any ideas, should we normalize the input path and remove ../../
at the beginning in this case?
@AzureMarker
from rust-embed.
Maybe check if canonical path starts with crate root? If not, reject it.
from rust-embed.
I thought we already patched this?
from rust-embed.
Yep just saw the code. It was implemented by you in this commit e1720ce
from rust-embed.
Can it just be that they have to recheck the project again? Maybe you should try to contact them as maintainers.
from rust-embed.
@pyrossh I think the issue is that we didn't release the impl crate for the last two versions. It's still on 6.2.0:
Edit: That or they mixed up the impl vs main crate versions.
from rust-embed.
@AzureMarker the latest impl crate version is v6.2.0
. The crate versions don't need to match. I tried it myself and got the same. I have added a pants-ignore
file for this vulnerability. We actually fixed this issue and published it for v6.2.0
of the impl crate.
6aafae6
from rust-embed.
Related Issues (20)
- Bump `syn` ^2 HOT 1
- The `mime-guess` feature doesn't work HOT 4
- using with askama compile time templates HOT 3
- Fix compression with interpolated env HOT 2
- Clarify MSRV policy HOT 7
- error[E0609]: no field `data` on type `Cow<'_, [u8]>` HOT 1
- Is there a way to include files based on an externally generated list HOT 6
- Rename RustEmbed trait to Embed? HOT 5
- Axum 0.7.1 - no function or associated item named `get` found for struct `Asset` in the current scope HOT 1
- Is there a way to encrypt embedded file? Maybe before/after hooks? HOT 10
- A feature analogous to debug-embed, but for WASM? HOT 2
- Debug builds more lenient when loading relative paths
- `RustEmbed` derive macro is susceptible to naming collisions HOT 2
- rust-embed is tainted with MPL-2 via option-ext HOT 1
- low compilation performance when embeding large folder even though having excludes. HOT 1
- Unable to read symbolic link in debug mode HOT 4
- Replace / expand `prefix` to allow using a generic function for rewriting paths HOT 2
- Option to not include file contents HOT 1
- Check files exist at compile time HOT 2
- RustEmbed indexing may panic error from clippy
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rust-embed.