Crate path_ratchet

PathBuf::push allows any form of path traversal:

let user_input = "/etc/shadow";
let mut filename = PathBuf::from("/tmp");
filename.push(user_input);
assert_eq!(filename, PathBuf::from("/etc/shadow"));

Contrary <PathBuf as PushPathComponent>::push_component requires a path with only a single element.

use std::path::PathBuf;
use path_ratchet::prelude::*;

let user_input = "/etc/shadow";
let mut filename = PathBuf::from("/tmp");
filename.push_component(SingleComponentPath::new(user_input).unwrap());

Security

It is essential to check the path on the same platform it is used on. As an example the path C:\path\to\file.txt will be interpreted as a file or directory name on an UNIX-system.

SingleComponentPath::new(r"C:\path\to\file.txt").unwrap();

Modules

• prelude
  All needed defenitions

Structs

• MultiComponentPath
  A safe wrapper for a Path. This prevents path traversal attacks.
• MultiComponentPathBuf
  A safe wrapper for a PathBuf. This prevents path traversal attacks.
• SingleComponentPath
  A safe wrapper for a Path with only a single component. This prevents path traversal attacks.
• SingleComponentPathBuf
  A safe wrapper for a PathBuf with only a single component. This prevents path traversal attacks.

Traits

• PushPathComponent
  Extension trait for PathBuf to push only components which don’t allow path traversal.