andras/vault-link
1
0
Fork 0
Code Issues Pull requests 18 Projects Releases 55 Packages Wiki Activity Actions 1

Sanitize relative paths server-side

Browse source
This commit is contained in:
Andras Schmelczer 2025-01-04 16:16:54 +00:00
parent 0943681702
commit 6d5b183a3c
No known key found for this signature in database
GPG key ID: FC8F2C3D3D1A718C
6 changed files with 44 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

10
backend/Cargo.lock generated
View file

@ -1610,6 +1610,15 @@ dependencies = [
"winapi-util", "winapi-util",
] ]
[[package]]
name = "sanitize-filename"
version = "0.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bc984f4f9ceb736a7bb755c3e3bd17dc56370af2600c9780dcc48c66453da34d"
dependencies = [
"regex",
]
[[package]] [[package]]
name = "schemars" name = "schemars"
version = "0.8.21" version = "0.8.21"
@ -2121,6 +2130,7 @@ dependencies = [
"log", "log",
"rand", "rand",
"reconcile", "reconcile",
"sanitize-filename",
"schemars", "schemars",
"serde", "serde",
"serde_yaml", "serde_yaml",

1
backend/sync_server/Cargo.toml
View file

@ -25,6 +25,7 @@ aide = { version = "0.13.4", features = ["axum", "axum-ws", "scalar", "axum-head
schemars = { version = "0.8.21", features = ["chrono", "uuid1"] } schemars = { version = "0.8.21", features = ["chrono", "uuid1"] }
tracing = "0.1" tracing = "0.1"
rand = "0.8.5" rand = "0.8.5"
sanitize-filename = "0.6.0"
[lints] [lints]
workspace = true workspace = true

15
backend/sync_server/src/server/create_document.rs
View file

@ -12,11 +12,14 @@ use schemars::JsonSchema;
use serde::Deserialize; use serde::Deserialize;
use sync_lib::{base64_to_bytes, merge}; use sync_lib::{base64_to_bytes, merge};
use super::{auth::auth, requests::CreateDocumentVersion, responses::DocumentUpdateResponse}; use super::{
app_state::AppState, auth::auth, requests::CreateDocumentVersion,
responses::DocumentUpdateResponse,
};
use crate::{ use crate::{
app_state::AppState,
database::models::{StoredDocumentVersion, VaultId}, database::models::{StoredDocumentVersion, VaultId},
errors::{client_error, server_error, SyncServerError}, errors::{client_error, server_error, SyncServerError},
utils::sanitize_path,
}; };
// This is required for aide to infer the path parameter types and names // This is required for aide to infer the path parameter types and names
@ -49,9 +52,11 @@ pub async fn create_document(
.await .await
.map_err(server_error)?; .map_err(server_error)?;
let sanitized_relative_path = sanitize_path(&request.relative_path);
let maybe_existing_version = state let maybe_existing_version = state
.database .database
.get_latest_document_by_path(&vault_id, &request.relative_path, Some(&mut transaction)) .get_latest_document_by_path(&vault_id, &sanitized_relative_path, Some(&mut transaction))
.await .await
.map_err(server_error)? .map_err(server_error)?
.and_then(|doc| if doc.is_deleted { None } else { Some(doc) }); .and_then(|doc| if doc.is_deleted { None } else { Some(doc) });
@ -87,7 +92,7 @@ pub async fn create_document(
let new_version = StoredDocumentVersion { let new_version = StoredDocumentVersion {
vault_id, vault_id,
vault_update_id: last_update_id + 1, vault_update_id: last_update_id + 1,
relative_path: request.relative_path, relative_path: sanitized_relative_path,
document_id: existing_version.document_id, document_id: existing_version.document_id,
content: merged_content, content: merged_content,
created_date: request.created_date, created_date: request.created_date,
@ -107,7 +112,7 @@ pub async fn create_document(
vault_id, vault_id,
vault_update_id: last_update_id + 1, vault_update_id: last_update_id + 1,
document_id: uuid::Uuid::new_v4(), document_id: uuid::Uuid::new_v4(),
relative_path: request.relative_path, relative_path: sanitized_relative_path,
content: content_bytes, content: content_bytes,
created_date: request.created_date, created_date: request.created_date,
updated_date: chrono::Utc::now(), updated_date: chrono::Utc::now(),

6
backend/sync_server/src/server/delete_document.rs
View file

@ -10,11 +10,11 @@ use axum_extra::{
use schemars::JsonSchema; use schemars::JsonSchema;
use serde::Deserialize; use serde::Deserialize;
use super::{auth::auth, requests::DeleteDocumentVersion}; use super::{app_state::AppState, auth::auth, requests::DeleteDocumentVersion};
use crate::{ use crate::{
app_state::AppState,
database::models::{DocumentId, StoredDocumentVersion, VaultId}, database::models::{DocumentId, StoredDocumentVersion, VaultId},
errors::{server_error, SyncServerError}, errors::{server_error, SyncServerError},
utils::sanitize_path,
}; };
// This is required for aide to infer the path parameter types and names // This is required for aide to infer the path parameter types and names
@ -52,7 +52,7 @@ pub async fn delete_document(
vault_id, vault_id,
vault_update_id: last_update_id + 1, vault_update_id: last_update_id + 1,
document_id, document_id,
relative_path: request.relative_path, relative_path: sanitize_path(&request.relative_path),
content: vec![], content: vec![],
created_date: request.created_date, created_date: request.created_date,
updated_date: chrono::Utc::now(), updated_date: chrono::Utc::now(),

12
backend/sync_server/src/server/update_document.rs
View file

@ -12,11 +12,14 @@ use schemars::JsonSchema;
use serde::Deserialize; use serde::Deserialize;
use sync_lib::{base64_to_bytes, merge}; use sync_lib::{base64_to_bytes, merge};
use super::{auth::auth, requests::UpdateDocumentVersion, responses::DocumentUpdateResponse}; use super::{
app_state::AppState, auth::auth, requests::UpdateDocumentVersion,
responses::DocumentUpdateResponse,
};
use crate::{ use crate::{
app_state::AppState,
database::models::{DocumentId, StoredDocumentVersion, VaultId}, database::models::{DocumentId, StoredDocumentVersion, VaultId},
errors::{client_error, not_found_error, server_error, SyncServerError}, errors::{client_error, not_found_error, server_error, SyncServerError},
utils::sanitize_path,
}; };
// This is required for aide to infer the path parameter types and names // This is required for aide to infer the path parameter types and names
@ -84,10 +87,11 @@ pub async fn update_document(
.context("Failed to decode base64 content in request") .context("Failed to decode base64 content in request")
.map_err(client_error)?; .map_err(client_error)?;
let sanitized_relative_path = sanitize_path(&request.relative_path);
// Return the latest version if the content and path are the same as the latest // Return the latest version if the content and path are the same as the latest
// version // version
if content_bytes == latest_version.content if content_bytes == latest_version.content
&& request.relative_path == latest_version.relative_path && sanitized_relative_path == latest_version.relative_path
{ {
info!("Document content is the same as the latest version, skipping update"); info!("Document content is the same as the latest version, skipping update");
transaction transaction
@ -110,7 +114,7 @@ pub async fn update_document(
// We can only update the relative path if we're the first one to do so // We can only update the relative path if we're the first one to do so
let new_relative_path = if parent_document.relative_path == latest_version.relative_path { let new_relative_path = if parent_document.relative_path == latest_version.relative_path {
request.relative_path.clone() sanitized_relative_path
} else { } else {
latest_version.relative_path.clone() latest_version.relative_path.clone()
}; };

12
backend/sync_server/src/utils.rs Normal file
View file

@ -0,0 +1,12 @@
/// Sanitize the document's path to allow all clients to create the same path in
/// their filesystem. If we didn't do this server-side, client's would need to
/// deal with mapping invalid names to valid ones and then back.
pub fn sanitize_path(path: &str) -> String {
let options = sanitize_filename::Options {
truncate: true,
windows: true, // Windows is the lowest common denominator
replacement: "",
};
sanitize_filename::sanitize_with_options(path, options)
}