Prevent dir traversal, use admin destinations when PSKs are equal

Trolldemorted · fsck · commit 952c65d6e3ed · 2019-03-02T14:34:10.000+01:00
Fixes #36 Fixes #32 Fixes #25
diff --git a/.gitignore b/.gitignore
@@ -6,6 +6,7 @@
 *.code-workspace
 /data
 *.yml
+/.enocache
 
 # Cargo
 /target
diff --git a/Dockerfile b/Dockerfile
@@ -34,7 +34,6 @@ COPY ./static ./static
 COPY ./Rocket.toml ./Rocket.toml
 
 ENV ROCKET_ENV production
-ENV ROCKET_TEMPLATE_DIR static
 
 RUN adduser --disabled-password --gecos '' enokey
 RUN mkdir /home/enokey/.ssh
diff --git a/Rocket.toml b/Rocket.toml
@@ -1,6 +1,2 @@
 [production]
 port = 8000
-template_dir = "static"
-
-[development]
-template_dir = "static"
diff --git a/src/main.rs b/src/main.rs
@@ -29,6 +29,7 @@ use rocket::response::NamedFile;
 use rocket::http::RawStr;
 use rocket::response::content;
 use rocket_contrib::templates::Template;
+use rocket_contrib::serve::StaticFiles;
 
 use getopts::Options;
 use regex::Regex;
@@ -115,10 +116,10 @@ fn index_post(form: Result<Form<FormInput>, FormError>) -> content::Html<String>
     content::Html(match form {
         Ok(form) => {
             let config = &*CONFIG.lock().unwrap();
-            let destinations = if form.authkey == config.user_psk {
-                &config.user_destinations
-            } else if &form.authkey == &config.admin_psk {
+            let destinations = if form.authkey == config.admin_psk {
                 &config.admin_destinations
+            } else if &form.authkey == &config.user_psk {
+                &config.user_destinations
             } else {
                 return content::Html(format!("Wrong AUTHKEY: {:?}", form))
             };
@@ -194,30 +195,6 @@ fn favicon() -> io::Result<NamedFile> {
     NamedFile::open("static/favicon.ico")
 }
 
-#[get("/static/<file..>")]
-fn static_files(file: PathBuf) -> Option<NamedFile> {
-    let allowed_files = vec!(
-        "css/bootstrap.min.css",
-        "css/bootstrap.min.css.map",
-        "css/style.css"
-    );
-
-    if let Some(file) = file.to_str() {
-        if allowed_files.contains(&file) {
-            return NamedFile::open(Path::new("static/").join(file)).ok();
-        }
-    }
-    None
-}
-
-#[get("/keyfiles/<file..>")]
-fn key_files(file: PathBuf) -> Option<NamedFile> {
-    if let Some(file) = file.to_str() {
-        return NamedFile::open(Path::new("keyfiles/").join(file)).ok()
-    }
-    None
-}
-
 fn main() {
     let args: Vec<String> = env::args().collect();
     let program = args[0].clone();
@@ -292,7 +269,9 @@ fn main() {
     }
 
     rocket::ignite()
-        .mount("/", routes![static_files, index_post, index_get, deploy_get, deploy_post, favicon, key_files])
+        .mount("/static", StaticFiles::from("static"))
+        .mount("/keyfiles", StaticFiles::from("keyfiles"))
+        .mount("/", routes![index_post, index_get, deploy_get, deploy_post, favicon])
         .attach(Template::fairing())
         .launch();
 }
diff --git a/src/storage.rs b/src/storage.rs
@@ -67,7 +67,6 @@ pub fn generate_authorized_key_files(destinations: &[Destination]) -> Result<(),
             write!(authorized_keys_file, "{}", &deploy_key)?
         }
 
-
         // append raw keys
         let mut raw_keys = String::new();
         if let Ok(mut raw_keys_file) = File::open(&destination.raw_storage_file_name) {
diff --git a/templates/deploy.html.hbs b/templates/deploy.html.hbs

Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,6 @@ pub fn generate_authorized_key_files(destinations: &[Destination]) -> Result<(),`
`67`	`67`	`write!(authorized_keys_file, "{}", &deploy_key)?`
`68`	`68`	`}`
`69`	`69`
`70`		`-`
`71`	`70`	`// append raw keys`
`72`	`71`	`let mut raw_keys = String::new();`
`73`	`72`	`if let Ok(mut raw_keys_file) = File::open(&destination.raw_storage_file_name) {`