Properly evaluate static serving wrt directory traversal attacks

[steveklabnik]

We serve static files, and check for . and .. in the path. This is probably not enough, but needs to be researched more.

[kardeiz]

It's not applicable verbatim, but Rocket's security checks for paths might be a good starting point: https://github.com/SergioBenitez/Rocket/blob/master/lib/src/request/param.rs#L328.

[scurest]

Note that empty components in a path are ignored: /, //, and /////// all name the same directory.

With that in mind, a client can currently access any file the server process can access on the host machine using a path like //etc/passwd because the server only truncates a single leading / from the request URI's path.

simple-server/src/lib.rs

Lines 349 to 350 in 10103f5

	// the uri always includes a leading /, which means that join will over-write the static directory...
	let fs_path = self.static_directory.join(&fs_path[1..]);

Example

$ curl -vs http://127.0.0.1:7878//etc/passwd
root:x:0:0:root:/root:/bin/bash
...

Possible alternative strategy is

1. ensure the static directory path is absolute
2. canonicalize the static directory path
3. join the uri path to the static directory path
4. canonicalize the result
5. check that the result starts_with the static directory path

[scurest]

Or how does this look to mitigate it? https://github.com/scurest/simple-server/commit/3ed6abe1a61e18f6dfdf3484902945d2a1e23699

We trim the single leading slash, put the rest into a path and iterate over its components, pushing the normals ones onto static_directory, but counting any non-normal component as a transversal attack.

edit: can make it even simpler. https://github.com/scurest/simple-server/commit/d2ccf63192e1904185913c03e493d59f5e6d8e62