add files path traversal tests

actix-files/src/path_buf.rs

@@ -8,7 +8,7 @@ use actix_web::{dev::Payload, FromRequest, HttpRequest};
 
 use crate::error::UriSegmentError;
 
-#[derive(Debug)]
+#[derive(Debug, PartialEq, Eq)]
 pub(crate) struct PathBufWrap(PathBuf);
 
 impl FromStr for PathBufWrap {
@@ -21,6 +21,8 @@ impl FromStr for PathBufWrap {
 
 impl PathBufWrap {
     /// Parse a path, giving the choice of allowing hidden files to be considered valid segments.
+    ///
+    /// Path traversal is guarded by this method.
     pub fn parse_path(path: &str, hidden_files: bool) -> Result<Self, UriSegmentError> {
         let mut buf = PathBuf::new();
 
@@ -115,4 +117,24 @@ mod tests {
             PathBuf::from_iter(vec!["test", ".tt"])
         );
     }
+
+    #[test]
+    fn path_traversal() {
+        assert_eq!(
+            PathBufWrap::parse_path("/../README.md", false).unwrap().0,
+            PathBuf::from_iter(vec!["README.md"])
+        );
+
+        assert_eq!(
+            PathBufWrap::parse_path("/../README.md", true).unwrap().0,
+            PathBuf::from_iter(vec!["README.md"])
+        );
+
+        assert_eq!(
+            PathBufWrap::parse_path("/../../../../../../../../../../etc/passwd", false)
+                .unwrap()
+                .0,
+            PathBuf::from_iter(vec!["etc/passwd"])
+        );
+    }
 }

actix-files/tests/traversal.rs

@@ -0,0 +1,27 @@
+use actix_files::Files;
+use actix_web::{
+    http::StatusCode,
+    test::{self, TestRequest},
+    App,
+};
+
+#[actix_rt::test]
+async fn test_directory_traversal_prevention() {
+    let srv = test::init_service(App::new().service(Files::new("/", "./tests"))).await;
+
+    let req =
+        TestRequest::with_uri("/../../../../../../../../../../../etc/passwd").to_request();
+    let res = test::call_service(&srv, req).await;
+    assert_eq!(res.status(), StatusCode::NOT_FOUND);
+
+    let req = TestRequest::with_uri(
+        "/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd",
+    )
+    .to_request();
+    let res = test::call_service(&srv, req).await;
+    assert_eq!(res.status(), StatusCode::NOT_FOUND);
+
+    let req = TestRequest::with_uri("/%00/etc/passwd%00").to_request();
+    let res = test::call_service(&srv, req).await;
+    assert_eq!(res.status(), StatusCode::NOT_FOUND);
+}