Added option restrict-upload-dir

[jonasdiemer]

To fix #842

[svenstaro]

Cool, before I do a proper review, could you add a test to check that other directories are now indeed forbidden?

[jonasdiemer]

Sure, let me have a look into testing in Rust :)

[svenstaro]

You can take a look at the other tests concerning the upload. It should be somewhat straight forward. Just remember: If you messed up and the test doesn't pick it up, this is a security issue so we need to be really careful here. :)

[jonasdiemer]

@svenstaro thanks for the suggestion. Fixed an issue (running tests is actually helpful :)) and added a test similar to existing one uploading_files_is_prevented.

[svenstaro]

Good stuff! This will probably require a few rounds of reviews until we get there but i think for your first foray into Rust this is already looking pretty good.

[jonasdiemer]

Reworked the solution to use PathBuf and with this also fixed subdirectories not working.

Edit: improved (hopefully) the style a bit using iter().any().

@svenstaro I'd appreciate some feedback (esp. on improving the style). Thanks again! :)

[svenstaro]

I'd be happy to merge as-is. Please update the README.md with the new output of miniserve --help and fix the formatting issue and we're good to merge.

[svenstaro]

Found a few tiny things but once we have that, we're good to go. Great job so far!

[svenstaro]

If you like, you can choose a short letter for this as well as it'd be annoying to write it out many times otherwise.

[jonasdiemer]

I'd go for 'A' (as in allowed...), but I am wondering if we might just want to re-purpose -u...

[svenstaro]

You mean something like -u alone would allow for uploading everywhere and then -u /tmp/lol would allow uploading only to that dir? If that's what you're thinking, I appreciate the conciseness but I can't help but wonder whether that wouldn't make -u pretty hard to parse (is it even still possible?) and somewhat confusing to users perhaps. Thoughts?

[svenstaro]

-A is a fine choice, I think.

[jonasdiemer]

You mean something like -u alone would allow for uploading everywhere and then -u /tmp/lol would allow uploading only to that dir? If that's what you're thinking, I appreciate the conciseness but I can't help but wonder whether that wouldn't make -u pretty hard to parse (is it even still possible?) and somewhat confusing to users perhaps. Thoughts?

Exactly, that was my thinking (after seeing so many command line shorts already taken ;)). Not sure about the parsing, though, I'd give it a try...

[svenstaro]

Does it parse this correctly? -u --some-other-flag? Would it try to parse the stuff behind -u as a PathBuf?

[jonasdiemer]

Just tried -u --verbose and it worked as expected (i.e. verbose output and allowed_upload_dir == Some([]) (i.e. it would allow uploads everywhere)

[jonasdiemer]

I've just committed a version that uses -u to define allowed directories. @svenstaro, please check it out and let me know what you think (I am also fine to use the previous version with -A as a shortcut).

[Atreyagaurav]

I like the -u with min_values. Makes more sense. Might want to try how it does in windows shell. It should work in bash because we've to use ./-path when a file starts with - (e.g. touch ./-h) otherwise it'll be parsed as cli argument.

[jonasdiemer]

Unfortunately, I cannot try on Windows.

Directories starting with - would also need the ./ prefix, which doesn't work with my implementation (yet) - will have a look.

[svenstaro]

Hey, I think we're almost there now. Only some tiny stuff now. I'd like to put this into the next miniserve release, too! Do you have some time to finish it up soon so we can land it with the release?

[svenstaro]

-A is a fine choice, I think.

[jonasdiemer]

Hey, I think we're almost there now. Only some tiny stuff now. I'd like to put this into the next miniserve release, too! Do you have some time to finish it up soon so we can land it with the release?

Except for the decision for using -u or -A (and some cleanup in case we go with -u), it should be ready.

[svenstaro]

Please run cargo fmt to fix CI.

[jonasdiemer]

Fixed formatting and also sanitized paths so that specification of `-u ./some_dir' also works.

[svenstaro]

There's a small lint to fix there.

[jonasdiemer]

Looks like CICD on Windows fails, might have to do with the tests that include a dash in the directory name. Unfortunately, I don't have a windows machine to test on...

[Atreyagaurav]

I also don't have a Windows machine to build miniserve to test, but I made a colleague try to make a directory named "-h" and it was a success (I tried both with "New Folder" button and mkdir in cmd. cd -h & cd ./-hworked fine, but dir ./-h gave Invalid switch - "h".

I don't know if it's a good idea, but we might be able to use cfg to only test that on Linux? At least for now...

[svenstaro]

I'd be fine if we don't run that test on Windows.

[jonasdiemer]

As CI has test cases 3+4 failing, I am not sure it's related to the dot. Rather, it could be related to sub-directories (and possibly different path separator for Windows). I've pushed another commit that tries to fix the paths for windows, let's see if it passes CI. Suggestions welcome (struggling a bit as a noob without access to the target platform).

[svenstaro]

Does it work if you take these as Path or OsPath? That might be a better way that just works in Windows as well.

[svenstaro]

It seems like there's a conflict with the recent QR stuff merge. Could you rebase?

[jonasdiemer]

Rebase done, still need to fix the failing test for windows platform.

[svenstaro]

I still don't really understand why you can't use a std::path::Path here as it will take care of the conversion for you on the operating systems. Wouldn't that be more convenient?

[jonasdiemer]

Yeah, I was thinking the same, but thought I'd stick first with they way other tests (see e.g. l. 179) handled it. Since that didn't work in this case (CI still failing), I will try the approach with std::path::Path.

[svenstaro]

We should probably change other tests as well. :)

[svenstaro]

Since it still doesn't work, I'd also be ok with you simply disabling the failing test cases on Windows.

[jonasdiemer]

Yup, and kind of hard to make progress without access to a windows machine. Not sure I'll find time to setup something (e.g. on Azure/CodeSpaces)...

@svenstaro, I don't know how I would disable a test-case for a specific platform. Could you give me a pointer?

[jonasdiemer]

Also noticed, that the feature doesn't work on windows with subdirectories (likely due to \ vs /) - found out by running miniserve.exe from publish_release action on an old windows laptop. Pushed a fix, waiting for Action workflow to verify.

[jonasdiemer]

Looks like I found a solution - latest commit passes CI on all platforms.

I assume the warning (the following packages contain code that will be rejected by a future version of Rust: winapi v0.2.8) has nothing to do with my PR.

From my perspective, the PR should be ready to merge now - please let me know if I overlooked something.

Re the 500 errors, I might have a stab at that if time permits.

[jonasdiemer]

Well, the error handling was easier to fix than I thought - fixed it (also for the case when overwrite_files is not set, i.e. DuplicateFileError).

[svenstaro]

At last! Outstanding work getting it to this state. It took a while but I hope you appreciate that for security stuff we need to go the extra mile. :)

[jonasdiemer]

Thanks a lot for your guidance (and patience), I leaned a lot and it was fun!