Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

RUSTSEC-2021-0126: RustEmbed generated get method allows for directory traversal when reading files from disk #32

Open
github-actions bot opened this issue Nov 30, 2021 · 0 comments

Comments

@github-actions
Copy link

RustEmbed generated get method allows for directory traversal when reading files from disk

Details
Package rust-embed
Version 5.9.0
URL pyrossh/rust-embed#159
Date 2021-11-29
Patched versions >=6.3.0

When running in debug mode and the debug-embed (off by default) feature is
not enabled, the generated get method does not check that the input path is
a child of the folder given.

This allows attackers to read arbitrary files in the file system if they have
control over the filename given. The following code will print the contents of
your /etc/passwd if adjusted with a correct number of ../s depending on
where it is run from.

#[derive(rust_embed::RustEmbed)]
#[folder = "src/"]
pub struct Asset;

fn main() {
    let d = Asset::get("../../../etc/passwd").unwrap().data;
    println!("{}", String::from_utf8_lossy(&d));
}

The flaw was corrected by canonicalizing the input filename and ensuring that
it starts with the canonicalized folder path.

See advisory page for additional details.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

0 participants