Merge pull request #28 from nuclearcat/fix-path

Treat empty path as /

Author: nuclearcat

src/local.rs

@@ -66,7 +66,20 @@ fn ensure_directory_exists(file_path: &Path) -> Result<(), std::io::Error> {
 fn get_storage_file_path(filename: &str) -> PathBuf {
     let config = get_local_config();
     let storage_path = Path::new(&config.storage_path);
-    storage_path.join(filename)
+    // Strip leading slashes to ensure the path is always relative to storage root
+    let safe_name = filename.trim_start_matches('/');
+    let full = storage_path.join(safe_name);
+    // Defense-in-depth: verify resolved path stays within storage root
+    let canonical_storage = storage_path.canonicalize().unwrap_or_else(|_| storage_path.to_path_buf());
+    // Use the parent directory for canonicalization since the file may not exist yet
+    let parent = full.parent().unwrap_or(&full);
+    let canonical_parent = parent.canonicalize().unwrap_or_else(|_| parent.to_path_buf());
+    if !canonical_parent.starts_with(&canonical_storage) {
+        // Fall back to storage root to prevent escape
+        storage_path.join(Path::new(safe_name).file_name().unwrap_or_default())
+    } else {
+        full
+    }
 }
 
 /// Get metadata file path for storing headers

src/main.rs

@@ -513,6 +513,25 @@ fn validate_path(path: &str) -> Result<(), String> {
     Ok(())
 }
 
+/// Build a normalized, validated storage key from the upload path and filename.
+/// Strips trailing slashes from `path`, joins with `filename`, strips leading slashes,
+/// and validates against path traversal.
+fn build_storage_key(path: &mut String, filename: &str) -> Result<String, String> {
+    // Remove trailing slash
+    if path.ends_with('/') {
+        path.pop();
+    }
+    let full_path = if path.is_empty() {
+        filename.to_string()
+    } else {
+        format!("{}/{}", path, filename)
+    };
+    // Normalize: strip leading slashes so the path is always relative
+    let full_path = full_path.trim_start_matches('/').to_string();
+    validate_path(&full_path)?;
+    Ok(full_path)
+}
+
 fn verify_upload_permissions(owner: &str, path: &str) -> Result<(), String> {
     let cfg_content = get_config_content();
     let cfg: Table = toml::from_str(&cfg_content).unwrap();
@@ -682,22 +701,13 @@ async fn ax_post_file(
                     }
 
                     // FAST PATH: path already set, stream directly
-                    // if path ends on /, remove it
-                    if path.ends_with("/") {
-                        debug_log!("Removing trailing /, workaround");
-                        path.pop();
-                    }
-
-                    let full_path = format!("{}/{}", path, file0_filename);
-
-                    // validate path for traversal
-                    match validate_path(&full_path) {
-                        Ok(_) => (),
+                    let full_path = match build_storage_key(&mut path, &file0_filename) {
+                        Ok(p) => p,
                         Err(e) => {
                             upload_result = Some((StatusCode::BAD_REQUEST, e.into_bytes()));
                             break;
                         }
-                    }
+                    };
 
                     // verify upload permissions
                     match verify_upload_permissions(&owner, &path) {
@@ -814,26 +824,12 @@ async fn ax_post_file(
     // Handle buffered file0 case (file0 arrived before path)
     if upload_result.is_none() {
         if let Some(tmp) = buffered_file {
-            if path.is_empty() {
-                return (
-                    StatusCode::BAD_REQUEST,
-                    b"Missing path field in upload".to_vec(),
-                );
-            }
-
-            if path.ends_with("/") {
-                debug_log!("Removing trailing /, workaround");
-                path.pop();
-            }
-
-            let full_path = format!("{}/{}", path, file0_filename);
-
-            match validate_path(&full_path) {
-                Ok(_) => (),
+            let full_path = match build_storage_key(&mut path, &file0_filename) {
+                Ok(p) => p,
                 Err(e) => {
                     return (StatusCode::BAD_REQUEST, e.into_bytes());
                 }
-            }
+            };
 
             match verify_upload_permissions(&owner, &path) {
                 Ok(_) => (),