From c47c78773aa4affbf47386ca9080604048ebeace Mon Sep 17 00:00:00 2001
From: mrw1593 <botahamec@outlook.com>
Date: Sat, 3 Jun 2023 09:47:46 -0400
Subject: Fixed security bugs with reading files

---
 Cargo.lock               | 7 +++++++
 Cargo.toml               | 1 +
 src/resources/scripts.rs | 5 +++--
 src/resources/style.rs   | 5 +++--
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index c51cb79..5947f93 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1325,6 +1325,12 @@ version = "1.0.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9f746c4065a8fa3fe23974dd82f15431cc8d40779821001404d10d2e79ca7d79"
 
+[[package]]
+name = "path-clean"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "17359afc20d7ab31fdb42bb844c8b3bb1dabd7dcf7e68428492da7f16966fcef"
+
 [[package]]
 name = "pem-rfc7468"
 version = "0.3.1"
@@ -1640,6 +1646,7 @@ dependencies = [
  "hex",
  "log",
  "parking_lot 0.12.1",
+ "path-clean",
  "raise",
  "rand",
  "rust-argon2",
diff --git a/Cargo.toml b/Cargo.toml
index 532fc6e..045bea4 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -11,6 +11,7 @@ tera = "1"
 serde = "1"
 thiserror = "1"
 rust-argon2 = "1"
+path-clean = "1"
 uuid = { version = "1", features = [ "v4", "fast-rng", "serde" ] }
 url = { version = "2", features = ["serde"] }
 raise = "2"
diff --git a/src/resources/scripts.rs b/src/resources/scripts.rs
index 3e2d869..1b27859 100644
--- a/src/resources/scripts.rs
+++ b/src/resources/scripts.rs
@@ -1,7 +1,8 @@
-use std::path::{Path, PathBuf};
+use std::path::Path;
 
 use actix_web::{get, http::StatusCode, web, HttpResponse, ResponseError};
 use exun::{Expect, ResultErrorExt};
+use path_clean::clean;
 use raise::yeet;
 use serde::Serialize;
 use thiserror::Error;
@@ -21,7 +22,7 @@ impl ResponseError for LoadScriptError {
 }
 
 fn load(script: &str) -> Result<String, Expect<LoadScriptError>> {
-	let path = PathBuf::from(format!("static/scripts/{}.js", script));
+	let path = clean(format!("static/scripts/{}.js", script));
 	if !path.exists() {
 		yeet!(LoadScriptError::FileNotFound(path.into()).into());
 	}
diff --git a/src/resources/style.rs b/src/resources/style.rs
index 2777a82..3ea56d2 100644
--- a/src/resources/style.rs
+++ b/src/resources/style.rs
@@ -1,8 +1,9 @@
-use std::path::{Path, PathBuf};
+use std::path::Path;
 
 use actix_web::{get, http::StatusCode, web, HttpResponse, ResponseError};
 use exun::{Expect, ResultErrorExt};
 use grass::OutputStyle;
+use path_clean::clean;
 use raise::yeet;
 use serde::Serialize;
 use thiserror::Error;
@@ -37,7 +38,7 @@ impl ResponseError for LoadStyleError {
 
 pub fn load(stylesheet: &str) -> Result<String, Expect<LoadStyleError>> {
 	let options = options();
-	let path = PathBuf::from(format!("static/style/{}.scss", stylesheet));
+	let path = clean(format!("static/style/{}.scss", stylesheet));
 	if !path.exists() {
 		yeet!(LoadStyleError::FileNotFound(path.into()).into());
 	}
-- 
cgit v1.2.3