path traversal, block such uploads, even they are safe for azure storage

nuclearcat · nuclearcat · commit 256aee40fa52 · 2026-02-21T02:14:31.000+02:00
Signed-off-by: Denys Fedoryshchenko &lt;denys.f@collabora.com&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -1,15 +1,13 @@
-FROM rust:1.83 AS builder
+FROM rust:1.93 AS builder
 WORKDIR /usr/src/app
 COPY . .
 RUN cargo install --path .
 
-FROM debian:bookworm-slim
+FROM debian:trixie-slim
 RUN apt-get update && rm -rf /var/lib/apt/lists/*
 COPY --from=builder /usr/local/cargo/bin/kernelci-storage /usr/local/bin/kernelci-storage
 # install ssl certificates
 RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
 RUN mkdir /workdir
 WORKDIR /workdir
 CMD ["kernelci-storage"]
-
-
diff --git a/src/main.rs b/src/main.rs
@@ -491,6 +491,13 @@ prefixes = ["/bob"]
 prefixes = [""]
 */
 
+fn validate_path(path: &str) -> Result<(), String> {
+    if path.contains("..") {
+        return Err("Path traversal detected".to_string());
+    }
+    Ok(())
+}
+
 fn verify_upload_permissions(owner: &str, path: &str) -> Result<(), String> {
     let cfg_content = get_config_content();
     let cfg: Table = toml::from_str(&cfg_content).unwrap();
@@ -658,6 +665,15 @@ async fn ax_post_file(
 
                     let full_path = format!("{}/{}", path, file0_filename);
 
+                    // validate path for traversal
+                    match validate_path(&full_path) {
+                        Ok(_) => (),
+                        Err(e) => {
+                            upload_result = Some((StatusCode::BAD_REQUEST, e.into_bytes()));
+                            break;
+                        }
+                    }
+
                     // verify upload permissions
                     match verify_upload_permissions(&owner, &path) {
                         Ok(_) => (),
@@ -781,6 +797,13 @@ async fn ax_post_file(
 
             let full_path = format!("{}/{}", path, file0_filename);
 
+            match validate_path(&full_path) {
+                Ok(_) => (),
+                Err(e) => {
+                    return (StatusCode::BAD_REQUEST, e.into_bytes());
+                }
+            }
+
             match verify_upload_permissions(&owner, &path) {
                 Ok(_) => (),
                 Err(e) => {
