ccd-cli 1.0.0-beta.2

Bootstrap and validate Continuous Context Development repositories
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

use std::path::{Component, Path, PathBuf};

use anyhow::{bail, Context, Result};

// The filesystem never percent-decodes path segments before canonicalization, so
// two rounds are enough to catch the common encoded and double-encoded traversal
// cases without rejecting deeper literal `%25...` directory names.
const MAX_PERCENT_DECODE_ROUNDS: usize = 2;

pub fn resolve(path: &Path) -> Result<PathBuf> {
    let raw = path
        .to_str()
        .ok_or_else(|| anyhow::anyhow!("unsafe --path value: paths must be valid UTF-8"))?;

    reject_control_chars(raw)?;
    reject_parent_traversal(path)?;
    reject_encoded_unsafe_sequences(raw)?;

    let canonical = path
        .canonicalize()
        .with_context(|| format!("failed to resolve --path `{raw}`"))?;

    if !canonical.is_dir() {
        bail!("--path must point to a directory: {}", canonical.display());
    }

    Ok(canonical)
}

fn reject_control_chars(raw: &str) -> Result<()> {
    if raw.chars().any(char::is_control) {
        bail!("unsafe --path value: control characters are not allowed");
    }

    Ok(())
}

fn reject_parent_traversal(path: &Path) -> Result<()> {
    if path
        .components()
        .any(|component| matches!(component, Component::ParentDir))
    {
        bail!("unsafe --path value: parent-directory traversal (`..`) is not allowed");
    }

    Ok(())
}

fn reject_encoded_unsafe_sequences(raw: &str) -> Result<()> {
    let mut decoded = raw.to_owned();

    for _ in 0..MAX_PERCENT_DECODE_ROUNDS {
        let next = percent_decode_once(&decoded);
        if next == decoded {
            break;
        }

        if next.chars().any(char::is_control) {
            bail!("unsafe --path value: encoded control characters are not allowed");
        }

        if has_parent_component(&next) {
            bail!("unsafe --path value: encoded parent-directory traversal is not allowed");
        }

        decoded = next;
    }

    Ok(())
}

fn has_parent_component(input: &str) -> bool {
    input.split(['/', '\\']).any(|segment| segment == "..")
}

fn percent_decode_once(input: &str) -> String {
    let bytes = input.as_bytes();
    let mut decoded = Vec::with_capacity(bytes.len());
    let mut idx = 0usize;

    while idx < bytes.len() {
        if bytes[idx] == b'%' && idx + 2 < bytes.len() {
            if let (Some(hi), Some(lo)) = (from_hex(bytes[idx + 1]), from_hex(bytes[idx + 2])) {
                decoded.push((hi << 4) | lo);
                idx += 3;
                continue;
            }
        }

        decoded.push(bytes[idx]);
        idx += 1;
    }

    String::from_utf8_lossy(&decoded).into_owned()
}

fn from_hex(byte: u8) -> Option<u8> {
    match byte {
        b'0'..=b'9' => Some(byte - b'0'),
        b'a'..=b'f' => Some(byte - b'a' + 10),
        b'A'..=b'F' => Some(byte - b'A' + 10),
        _ => None,
    }
}

#[cfg(test)]
mod tests {
    use super::reject_encoded_unsafe_sequences;

    #[test]
    fn rejects_double_encoded_parent_traversal() {
        let error = reject_encoded_unsafe_sequences("%252e%252e/%252e%252e/outside").unwrap_err();
        assert!(error
            .to_string()
            .contains("encoded parent-directory traversal"));
    }

    #[test]
    fn treats_triple_encoded_parent_traversal_as_literal_path() {
        assert!(reject_encoded_unsafe_sequences("%25252e%25252e/%25252e%25252e/outside").is_ok());
    }
}