Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/gatomod/path_trav
🤨🔎 A simple path traversal checker made with Rust. Useful for APIs that serve dynamic files.
https://github.com/gatomod/path_trav
fs path path-traversal rust security
Last synced: 2 months ago
JSON representation
🤨🔎 A simple path traversal checker made with Rust. Useful for APIs that serve dynamic files.
- Host: GitHub
- URL: https://github.com/gatomod/path_trav
- Owner: gatomod
- License: apache-2.0
- Created: 2022-11-21T18:58:06.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2023-06-22T14:22:49.000Z (over 1 year ago)
- Last Synced: 2023-12-19T17:45:38.047Z (about 1 year ago)
- Topics: fs, path, path-traversal, rust, security
- Language: Rust
- Homepage: https://docs.rs/path_trav/latest
- Size: 27.3 KB
- Stars: 5
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Path trav
### A simple path traversal checker made with Rust. Useful for APIs that serve dynamic files.[](https://www.apache.org/licenses/LICENSE-2.0)
[](https://crates.io/crates/path_trav)
[](https://docs.rs/path_trav)
[](https://gatomo.ga/discord)
**Note:** this is a security tool. If you see something wrong, [open an issue in GitHub](https://github.com/gatomo-oficial/path_trav/issues).
## How it works?
The `is_path_trav` function is implemented in `std::path::Path`. It receives two paths, the base path and the path to check.
To verify if the second is inside the first, `path_trav` turn paths into absolute and check if the second route contains the first.#### Example 1.
> **Base  :** */home/user/data*   **-->** ***/home/user/data***> **Rel     :** *./data/folder*          **-->** ***/home/user/data**/folder*
Relative path is inside base path.
#### Example 2.
> **Base  :** */home/user/data*              **-->** */home/user/data*> **Rel     :** *./data/../../../etc/passwd*   **-->** */etc/passwd*
Relative path isn't inside base path, tries to access sensitive data
## Examples
First, add `path_trav` to your Cargo.toml
```toml
[dependencies]
path_trav = "2.0.0"
```Then, on your main.rs file
```rust
use std::path::Path;
use path_trav::*;fn main() {
let server_folder = Path::new("./");
let server_file = Path::new("./tests/test.rs");
let important_file = Path::new("~/../../etc/passwd");
let non_existent_file = Path::new("../weird_file");// Path is inside server_folder (Ok)
assert_eq!(Ok(false), server_folder.is_path_trav(&server_file));// Path tries to access sensitive data (Path Traversal detected)
assert_eq!(Ok(true), server_folder.is_path_trav(&important_file));// File does not exists (ENOENT)
assert_eq!(Err(ErrorKind::NotFound), server_folder.is_path_trav(&non_existent_file));
}```
`is_path_trav` returns `Result`. Unwrap it or use match to get the result. If returns true, there are path traversal.
**Note:** *You can use it with `PathBuf`*
```rust
use std::path:PathBuflet server_folder = PathBuf::from("./");
let server_file = PathBuf::from("./tests/test.rs");assert_eq!(Ok(false), server_folder.is_path_trav(&server_file));
```## Tests
There are a few integration tests in `/tests` folder where you can check the Path Trav behavior.## License
`path_trav` is licensed under the [Apache 2.0 license](https://www.apache.org/licenses/LICENSE-2.0).## Contribute
🥳 Any PR is welcome! Is a small project, so the guideline is to follow the code style and not make insane pruposes.## Links
- [Web](https://gatomo.ga)
- [Donate (via PayPal)](https://paypal.me/gatomooficial)
- [Discord (spanish)](https://discord.gatomo.ga)*Gátomo - Apache 2.0 License*