actix/actix-web
1
0
Fork 0
mirror of https://github.com/fafhrd91/actix-web synced 2025-02-17 10:13:30 +01:00
Code Issues Releases Wiki Activity

disallow query or fragements in url_for constructions (#2430)

Browse Source 
Co-authored-by: Rob Ede <robjtede@icloud.com>
This commit is contained in:
Ali MJ Al-Nasrawy 2021-12-05 07:39:18 +03:00 committed by GitHub
parent e1a2d9c606
commit 59be0c65c6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 96 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES.md
View File

@ -12,12 +12,14 @@
* Rename `Accept::{mime_precedence => ranked}`. [#2480] * Rename `Accept::{mime_precedence => ranked}`. [#2480]
* Rename `Accept::{mime_preference => preference}`. [#2480] * Rename `Accept::{mime_preference => preference}`. [#2480]
* Un-deprecate `App::data_factory`. [#2484] * Un-deprecate `App::data_factory`. [#2484]
* `HttpRequest::url_for` no longer constructs URLs with query or fragment components. [#2430]
### Fixed ### Fixed
* Accept wildcard `*` items in `AcceptLanguage`. [#2480] * Accept wildcard `*` items in `AcceptLanguage`. [#2480]
* Re-exports `dev::{BodySize, MessageBody, SizedStream}`. They are exposed through the `body` module. [#2468] * Re-exports `dev::{BodySize, MessageBody, SizedStream}`. They are exposed through the `body` module. [#2468]
* Typed headers containing lists that require one or more items now enforce this minimum. [#2482] * Typed headers containing lists that require one or more items now enforce this minimum. [#2482]
[#2430]: https://github.com/actix/actix-web/pull/2430
[#2468]: https://github.com/actix/actix-web/pull/2468 [#2468]: https://github.com/actix/actix-web/pull/2468
[#2480]: https://github.com/actix/actix-web/pull/2480 [#2480]: https://github.com/actix/actix-web/pull/2480
[#2482]: https://github.com/actix/actix-web/pull/2482 [#2482]: https://github.com/actix/actix-web/pull/2482

8
src/error/mod.rs
View File

@ -29,15 +29,15 @@ pub type Result<T, E = Error> = std::result::Result<T, E>;
#[derive(Debug, PartialEq, Display, Error, From)] #[derive(Debug, PartialEq, Display, Error, From)]
#[non_exhaustive] #[non_exhaustive]
pub enum UrlGenerationError { pub enum UrlGenerationError {
/// Resource not found /// Resource not found.
#[display(fmt = "Resource not found")] #[display(fmt = "Resource not found")]
ResourceNotFound, ResourceNotFound,
/// Not all path pattern covered /// Not all URL parameters covered.
#[display(fmt = "Not all path pattern covered")] #[display(fmt = "Not all URL parameters covered")]
NotEnoughElements, NotEnoughElements,
/// URL parse error /// URL parse error.
#[display(fmt = "{}", _0)] #[display(fmt = "{}", _0)]
ParseError(UrlParseError), ParseError(UrlParseError),
} }

38
src/request.rs
View File

@ -100,7 +100,7 @@ impl HttpRequest {
&self.head().headers &self.head().headers
} }
/// The target path of this Request. /// The target path of this request.
#[inline] #[inline]
pub fn path(&self) -> &str { pub fn path(&self) -> &str {
self.head().uri.path() self.head().uri.path()
@ -108,18 +108,22 @@ impl HttpRequest {
/// The query string in the URL. /// The query string in the URL.
/// ///
/// E.g., id=10 /// Example: `id=10`
#[inline] #[inline]
pub fn query_string(&self) -> &str { pub fn query_string(&self) -> &str {
self.uri().query().unwrap_or_default() self.uri().query().unwrap_or_default()
} }
/// Get a reference to the Path parameters. /// Returns a reference to the URL parameters container.
/// ///
/// Params is a container for url parameters. /// A url parameter is specified in the form `{identifier}`, where the identifier can be used
/// A variable segment is specified in the form `{identifier}`, /// later in a request handler to access the matched value for that parameter.
/// where the identifier can be used later in a request handler to ///
/// access the matched value for that segment. /// # Percent Encoding and URL Parameters
/// Because each URL parameter is able to capture multiple path segments, both `["%2F", "%25"]`
/// found in the request URI are not decoded into `["/", "%"]` in order to preserve path
/// segment boundaries. If a url parameter is expected to contain these characters, then it is
/// on the user to decode them.
#[inline] #[inline]
pub fn match_info(&self) -> &Path<Url> { pub fn match_info(&self) -> &Path<Url> {
&self.inner.path &self.inner.path
@ -161,23 +165,29 @@ impl HttpRequest {
self.head().extensions_mut() self.head().extensions_mut()
} }
/// Generate url for named resource /// Generates URL for a named resource.
/// ///
/// This substitutes in sequence all URL parameters that appear in the resource itself and in
/// parent [scopes](crate::web::scope), if any.
///
/// It is worth noting that the characters `['/', '%']` are not escaped and therefore a single
/// URL parameter may expand into multiple path segments and `elements` can be percent-encoded
/// beforehand without worrying about double encoding. Any other character that is not valid in
/// a URL path context is escaped using percent-encoding.
///
/// # Examples
/// ``` /// ```
/// # use actix_web::{web, App, HttpRequest, HttpResponse}; /// # use actix_web::{web, App, HttpRequest, HttpResponse};
/// #
/// fn index(req: HttpRequest) -> HttpResponse { /// fn index(req: HttpRequest) -> HttpResponse {
/// let url = req.url_for("foo", &["1", "2", "3"]); // <- generate url for "foo" resource /// let url = req.url_for("foo", &["1", "2", "3"]); // <- generate URL for "foo" resource
/// HttpResponse::Ok().into() /// HttpResponse::Ok().into()
/// } /// }
/// ///
/// fn main() {
/// let app = App::new() /// let app = App::new()
/// .service(web::resource("/test/{one}/{two}/{three}") /// .service(web::resource("/test/{one}/{two}/{three}")
/// .name("foo") // <- set resource name, then it could be used in `url_for` /// .name("foo") // <- set resource name so it can be used in `url_for`
/// .route(web::get().to(|| HttpResponse::Ok())) /// .route(web::get().to(|| HttpResponse::Ok()))
/// ); /// );
/// }
/// ``` /// ```
pub fn url_for<U, I>(&self, name: &str, elements: U) -> Result<url::Url, UrlGenerationError> pub fn url_for<U, I>(&self, name: &str, elements: U) -> Result<url::Url, UrlGenerationError>
where where
@ -196,8 +206,8 @@ impl HttpRequest {
self.url_for(name, &NO_PARAMS) self.url_for(name, &NO_PARAMS)
} }
#[inline]
/// Get a reference to a `ResourceMap` of current application. /// Get a reference to a `ResourceMap` of current application.
#[inline]
pub fn resource_map(&self) -> &ResourceMap { pub fn resource_map(&self) -> &ResourceMap {
self.app_state().rmap() self.app_state().rmap()
} }

75
src/rmap.rs
View File

@ -1,12 +1,14 @@
use std::cell::RefCell; use std::{
use std::rc::{Rc, Weak}; borrow::Cow,
cell::RefCell,
rc::{Rc, Weak},
};
use actix_router::ResourceDef; use actix_router::ResourceDef;
use ahash::AHashMap; use ahash::AHashMap;
use url::Url; use url::Url;
use crate::error::UrlGenerationError; use crate::{error::UrlGenerationError, request::HttpRequest};
use crate::request::HttpRequest;
#[derive(Clone, Debug)] #[derive(Clone, Debug)]
pub struct ResourceMap { pub struct ResourceMap {
@ -102,17 +104,28 @@ impl ResourceMap {
}) })
.ok_or(UrlGenerationError::NotEnoughElements)?; .ok_or(UrlGenerationError::NotEnoughElements)?;
if path.starts_with('/') { let (base, path): (Cow<'_, _>, _) = if path.starts_with('/') {
// build full URL from connection info parts and resource path
let conn = req.connection_info(); let conn = req.connection_info();
Ok(Url::parse(&format!( let base = format!("{}://{}", conn.scheme(), conn.host());
"{}://{}{}", (Cow::Owned(base), path.as_str())
conn.scheme(),
conn.host(),
path
))?)
} else { } else {
Ok(Url::parse(&path)?) // external resource; third slash would be the root slash in the path
} let third_slash_index = path
.char_indices()
.filter_map(|(i, c)| (c == '/').then(|| i))
.nth(2)
.unwrap_or_else(|| path.len());
(
Cow::Borrowed(&path[..third_slash_index]),
&path[third_slash_index..],
)
};
let mut url = Url::parse(&base)?;
url.set_path(path);
Ok(url)
} }
pub fn has_resource(&self, path: &str) -> bool { pub fn has_resource(&self, path: &str) -> bool {
@ -406,6 +419,42 @@ mod tests {
assert!(rmap.url_for(&req, "missing", &["u123"]).is_err()); assert!(rmap.url_for(&req, "missing", &["u123"]).is_err());
} }
#[test]
fn url_for_parser() {
let mut root = ResourceMap::new(ResourceDef::prefix(""));
let mut rdef_1 = ResourceDef::new("/{var}");
rdef_1.set_name("internal");
let mut rdef_2 = ResourceDef::new("http://host.dom/{var}");
rdef_2.set_name("external.1");
let mut rdef_3 = ResourceDef::new("{var}");
rdef_3.set_name("external.2");
root.add(&mut rdef_1, None);
root.add(&mut rdef_2, None);
root.add(&mut rdef_3, None);
let rmap = Rc::new(root);
ResourceMap::finish(&rmap);
let mut req = crate::test::TestRequest::default();
req.set_server_hostname("localhost:8888");
let req = req.to_http_request();
const INPUT: &[&str] = &["a/../quick brown%20fox/%nan?query#frag"];
const OUTPUT: &str = "/quick%20brown%20fox/%nan%3Fquery%23frag";
let url = rmap.url_for(&req, "internal", INPUT).unwrap();
assert_eq!(url.path(), OUTPUT);
let url = rmap.url_for(&req, "external.1", INPUT).unwrap();
assert_eq!(url.path(), OUTPUT);
assert!(rmap.url_for(&req, "external.2", INPUT).is_err());
assert!(rmap.url_for(&req, "external.2", &[""]).is_err());
}
#[test] #[test]
fn external_resource_with_no_name() { fn external_resource_with_no_name() {
let mut root = ResourceMap::new(ResourceDef::prefix("")); let mut root = ResourceMap::new(ResourceDef::prefix(""));