irosh 0.2.0

SSH sessions over Iroh peer-to-peer transport
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

use crate::error::{Result, TransportError};
use std::path::{Component, Path, PathBuf};

/// Sanitizes a path received over the network to prevent path traversal.
///
/// This ensures the path is relative and does not contain components that would
/// escape the base directory (like `..` or absolute roots).
pub fn sanitize_remote_path(raw: &str) -> Result<PathBuf> {
    if raw.contains('\0') {
        return Err(crate::error::IroshError::Transport(
            TransportError::Transfer(crate::transport::transfer::TransferError::InvalidPath(
                "path contains null byte".to_string(),
            )),
        ));
    }

    let raw_path = Path::new(raw);

    // We strictly forbid absolute paths from the network.
    if raw_path.is_absolute() {
        return Err(crate::error::IroshError::Transport(
            TransportError::Transfer(crate::transport::transfer::TransferError::InvalidPath(
                format!("absolute path not allowed: {}", raw),
            )),
        ));
    }

    let mut sanitized = PathBuf::new();
    for component in raw_path.components() {
        match component {
            Component::Normal(c) => sanitized.push(c),
            Component::CurDir => {}
            Component::ParentDir => {
                // We do not allow '..' to pop above the current sanitized root.
                // This prevents "root/../../etc/passwd" from becoming "/etc/passwd".
                if !sanitized.pop() {
                    return Err(crate::error::IroshError::Transport(
                        TransportError::Transfer(
                            crate::transport::transfer::TransferError::InvalidPath(format!(
                                "path traversal attempt detected: {}",
                                raw
                            )),
                        ),
                    ));
                }
            }
            Component::RootDir | Component::Prefix(_) => {
                return Err(crate::error::IroshError::Transport(
                    TransportError::Transfer(
                        crate::transport::transfer::TransferError::InvalidPath(format!(
                            "root or prefix components not allowed: {}",
                            raw
                        )),
                    ),
                ));
            }
        }
    }

    if sanitized.as_os_str().is_empty() {
        return Err(crate::error::IroshError::Transport(
            TransportError::Transfer(crate::transport::transfer::TransferError::InvalidPath(
                "sanitized path is empty".to_string(),
            )),
        ));
    }

    Ok(sanitized)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_sanitize_remote_path() {
        // Valid relative paths
        assert_eq!(
            sanitize_remote_path("file.txt").unwrap(),
            PathBuf::from("file.txt")
        );
        assert_eq!(
            sanitize_remote_path("dir/file.txt").unwrap(),
            PathBuf::from("dir/file.txt")
        );
        assert_eq!(
            sanitize_remote_path("./file.txt").unwrap(),
            PathBuf::from("file.txt")
        );

        // Block absolute
        assert!(sanitize_remote_path("/etc/passwd").is_err());

        // Block traversal
        assert!(sanitize_remote_path("../file.txt").is_err());
        assert!(sanitize_remote_path("dir/../../file.txt").is_err());

        // Allow internal .. as long as it doesn't escape
        assert_eq!(
            sanitize_remote_path("dir/subdir/../file.txt").unwrap(),
            PathBuf::from("dir/file.txt")
        );

        // Block null bytes
        assert!(sanitize_remote_path("file\0.txt").is_err());
    }
}