Added checking for .. and backslash in path, introduced custome exceptions

michalpokusa · michalpokusa · commit 725c8116ecee · 2023-04-14T02:57:06.000Z
diff --git a/adafruit_httpserver/exceptions.py b/adafruit_httpserver/exceptions.py
@@ -0,0 +1,52 @@
+# SPDX-FileCopyrightText: Copyright (c) 2022 Dan Halbert for Adafruit Industries
+#
+# SPDX-License-Identifier: MIT
+"""
+`adafruit_httpserver.exceptions`
+====================================================
+* Author(s): Michał Pokusa
+"""
+
+
+class InvalidPathError(Exception):
+    """
+    Parent class for all path related errors.
+    """
+
+
+class ParentDirectoryReferenceError(InvalidPathError):
+    """
+    Path contains ``..``, a reference to the parent directory.
+    """
+
+    def __init__(self, path: str) -> None:
+        """Creates a new ``ParentDirectoryReferenceError`` for the ``path``."""
+        super().__init__(f"Parent directory reference in path: {path}")
+
+
+class BackslashInPathError(InvalidPathError):
+    """
+    Backslash ``\\`` in path.
+    """
+
+    def __init__(self, path: str) -> None:
+        """Creates a new ``BackslashInPathError`` for the ``path``."""
+        super().__init__(f"Backslash in path: {path}")
+
+
+class ResponseAlreadySentException(Exception):
+    """
+    Another ``HTTPResponse`` has already been sent. There can only be one per ``HTTPRequest``.
+    """
+
+
+class FileNotExistsError(Exception):
+    """
+    Raised when a file does not exist.
+    """
+
+    def __init__(self, path: str) -> None:
+        """
+        Creates a new ``FileNotExistsError`` for the file at ``path``.
+        """
+        super().__init__(f"File does not exist: {path}")
diff --git a/adafruit_httpserver/response.py b/adafruit_httpserver/response.py
@@ -17,6 +17,12 @@
 import os
 from errno import EAGAIN, ECONNRESET
 
+from .exceptions import (
+    BackslashInPathError,
+    FileNotExistsError,
+    ParentDirectoryReferenceError,
+    ResponseAlreadySentException,
+)
 from .mime_type import MIMEType
 from .request import HTTPRequest
 from .status import HTTPStatus, CommonHTTPStatus
@@ -153,7 +159,7 @@ def send(
         Should be called **only once** per response.
         """
         if self._response_already_sent:
-            raise RuntimeError("Response was already sent")
+            raise ResponseAlreadySentException
 
         if getattr(body, "encode", None):
             encoded_response_message_body = body.encode("utf-8")
@@ -167,11 +173,39 @@ def send(
         self._send_bytes(self.request.connection, encoded_response_message_body)
         self._response_already_sent = True
 
+    @staticmethod
+    def _check_file_path_is_valid(file_path: str) -> bool:
+        """
+        Checks if ``file_path`` is valid.
+        If not raises error corresponding to the problem.
+        """
+
+        # Check for backslashes
+        if "\\" in file_path:  # pylint: disable=anomalous-backslash-in-string
+            raise BackslashInPathError(file_path)
+
+        # Check each component of the path for parent directory references
+        for part in file_path.split("/"):
+            if part == "..":
+                raise ParentDirectoryReferenceError(file_path)
+
+    @staticmethod
+    def _get_file_length(file_path: str) -> int:
+        """
+        Tries to get the length of the file at ``file_path``.
+        Raises ``FileNotExistsError`` if file does not exist.
+        """
+        try:
+            return os.stat(file_path)[6]
+        except OSError:
+            raise FileNotExistsError(file_path)  # pylint: disable=raise-missing-from
+
     def send_file(
         self,
         filename: str = "index.html",
         root_path: str = "./",
         buffer_size: int = 1024,
+        safe: bool = True,
     ) -> None:
         """
         Send response with content of ``filename`` located in ``root_path``.
@@ -181,23 +215,24 @@ def send_file(
         Should be called **only once** per response.
         """
         if self._response_already_sent:
-            raise RuntimeError("Response was already sent")
+            raise ResponseAlreadySentException
+
+        if safe:
+            self._check_file_path_is_valid(filename)
 
         if not root_path.endswith("/"):
             root_path += "/"
-        try:
-            file_length = os.stat(root_path + filename)[6]
-        except OSError:
-            # If the file doesn't exist, return 404.
-            HTTPResponse(self.request, status=CommonHTTPStatus.NOT_FOUND_404).send()
-            return
+
+        full_file_path = root_path + filename
+
+        file_length = self._get_file_length(full_file_path)
 
         self._send_headers(
             content_type=MIMEType.from_file_name(filename),
             content_length=file_length,
         )
 
-        with open(root_path + filename, "rb") as file:
+        with open(full_file_path, "rb") as file:
             while bytes_read := file.read(buffer_size):
                 self._send_bytes(self.request.connection, bytes_read)
         self._response_already_sent = True
diff --git a/adafruit_httpserver/server.py b/adafruit_httpserver/server.py
@@ -16,6 +16,7 @@
 
 from errno import EAGAIN, ECONNRESET, ETIMEDOUT
 
+from .exceptions import FileNotExistsError, InvalidPathError
 from .methods import HTTPMethod
 from .request import HTTPRequest
 from .response import HTTPResponse
@@ -160,22 +161,33 @@ def poll(self):
                     _HTTPRoute(request.path, request.method)
                 )
 
-                # If a handler for route exists and is callable, call it.
-                if handler is not None and callable(handler):
-                    handler(request)
-
-                # If no handler exists and request method is GET, try to serve a file.
-                elif handler is None and request.method == HTTPMethod.GET:
-                    filename = "index.html" if request.path == "/" else request.path
-                    HTTPResponse(request).send_file(
-                        filename=filename,
-                        root_path=self.root_path,
-                        buffer_size=self.request_buffer_size,
+                try:
+                    # If a handler for route exists and is callable, call it.
+                    if handler is not None and callable(handler):
+                        handler(request)
+
+                    # If no handler exists and request method is GET, try to serve a file.
+                    elif handler is None and request.method == HTTPMethod.GET:
+                        filename = "index.html" if request.path == "/" else request.path
+                        HTTPResponse(request).send_file(
+                            filename=filename,
+                            root_path=self.root_path,
+                            buffer_size=self.request_buffer_size,
+                        )
+                    else:
+                        HTTPResponse(
+                            request, status=CommonHTTPStatus.BAD_REQUEST_400
+                        ).send()
+
+                except InvalidPathError as error:
+                    HTTPResponse(request, status=CommonHTTPStatus.FORBIDDEN_403).send(
+                        str(error)
+                    )
+
+                except FileNotExistsError as error:
+                    HTTPResponse(request, status=CommonHTTPStatus.NOT_FOUND_404).send(
+                        str(error)
                     )
-                else:
-                    HTTPResponse(
-                        request, status=CommonHTTPStatus.BAD_REQUEST_400
-                    ).send()
 
         except OSError as error:
             # Handle EAGAIN and ECONNRESET
