1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

//! Sandboxed path canonicalization.

use crate::fs::canonicalize_impl;
#[cfg(racy_asserts)]
use crate::fs::{file_path, open, OpenOptions};
use std::{
    fs, io,
    path::{Path, PathBuf},
};

/// Canonicalize the given path, ensuring that the resolution of the path never
/// escapes the directory tree rooted at `start`.
#[cfg_attr(not(racy_asserts), allow(clippy::let_and_return))]
#[inline]
pub fn canonicalize(start: &fs::File, path: &Path) -> io::Result<PathBuf> {
    // Call the underlying implementation.
    let result = canonicalize_impl(start, path);

    #[cfg(racy_asserts)]
    check_canonicalize(start, path, &result);

    result
}

#[cfg(racy_asserts)]
fn check_canonicalize(start: &fs::File, path: &Path, result: &io::Result<PathBuf>) {
    if let Ok(canonical_path) = result {
        let path_result = open(start, path, OpenOptions::new().read(true));
        let canonical_result = open(start, canonical_path, OpenOptions::new().read(true));
        match (path_result, canonical_result) {
            (Ok(path_file), Ok(canonical_file)) => assert_same_file!(
                &path_file,
                &canonical_file,
                "we should be able to stat paths that we just canonicalized"
            ),
            (Err(path_err), Err(canonical_err)) => {
                assert_eq!(path_err.to_string(), canonical_err.to_string())
            }
            other => panic!("inconsistent canonicalize checks: {:?}", other),
        }

        // On operating systems which can tell us the path of a file descriptor,
        // assert that the path we computed canonicalizes to the same thing as
        // the input canonicalizes too.
        if let Some(start_abspath) = file_path(start) {
            let check_abspath = start_abspath.join(path);
            let result_abspath = start_abspath.join(canonical_path);
            if let Ok(check_abspath) = fs::canonicalize(check_abspath) {
                let result_abspath =
                    fs::canonicalize(result_abspath).expect("we already canonicalized this");
                assert_eq!(
                    check_abspath,
                    result_abspath,
                    "incorrect canonicalization: start='{:?}' path='{}' result='{}'",
                    start,
                    path.display(),
                    canonical_path.display()
                );
                // TODO: When porting to Windows, check whether `start_abspath` not being
                // a canonicalized path leads to `\\?\` extended path prefix differences.
                assert!(
                    result_abspath.starts_with(start_abspath),
                    "sandbox escape: start='{:?}' path='{}' result='{}'",
                    start,
                    path.display(),
                    canonical_path.display()
                );
            }
        }
    }
}