Fixed symlinks in debug mode

pyrossh · Feb 24, 2024 · 47e1f89 · 47e1f89
1 parent f099628
commit 47e1f89
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/impl/src/lib.rs b/impl/src/lib.rs
@@ -141,7 +141,16 @@ fn dynamic(ident: &syn::Ident, folder_path: String, prefix: Option<&str>, includ
               let canonical_file_path = file_path.canonicalize().ok()?;
               if !canonical_file_path.starts_with(#canonical_folder_path) {
                   // Tried to request a path that is not in the embedded folder
-                  return ::std::option::Option::None;
+
+                  // Should be allowed only if it was a symlink
+                  // TODO: Currently it allows "path_traversal_attack" for the symlink files
+                  // For it to be working properly we need to get absolute path first 
+                  // and check that instead if it starts with `canonical_folder_path`
+                  // https://doc.rust-lang.org/std/path/fn.absolute.html (currently nightly)
+                  let metadata = ::std::fs::metadata(file_path.as_path()).ok()?;
+                  if !metadata.is_symlink() {
+                    return ::std::option::Option::None;
+                  }
               }
 
               if rust_embed::utils::is_path_included(&rel_file_path, INCLUDES, EXCLUDES) {