User can access arbitrary files with static file hosting on Windows

[adumbidiot]

Version
0.3.2

Platform
Windows 10 64 bit

Description
I'm creating this issue from tower-rs/tower-http#204, where more details can be found. Essentially, if a user inputs a drive letter into the file path, it replaces the entire path. This allows a user to view anything in the current directory of the program, and everything in other attached disks, provided the program can access those files.

I tried this code, which I copied and edited from the attached PR:
Cargo.toml

[package]
name = "warp-tower-204"
version = "0.1.0"
edition = "2018"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
tokio = { version = "1.15.0", features = ["full"] }
tracing-subscriber = { version = "0.2.7", features = [ "fmt" ] }
warp = "0.3.2"

main.rs

use tracing_subscriber::fmt::format::FmtSpan;

#[tokio::main]
async fn main() {
    tracing_subscriber::fmt().with_env_filter("tracing=info,warp=debug").with_span_events(FmtSpan::CLOSE).init();
    warp::serve(warp::fs::dir("d:/js/OnlyOne/Dist/"))
        .run(([127, 0, 0, 1], 3030))
        .await;
}

I ran this program on drive D. Then I opened the url in chrome: http://127.0.0.1:3030/static/asdf/c:/windows/win.ini

I expected to see this happen:
I expected the request to fail with a 404.

Instead, this happened:
The server responded with:

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[ResponseResult]
ResultCode=0

[seanmonstar]

Thank you for the report! Windows is a joy... So, can we add : as an illegal character when cfg(windows)?

[adumbidiot]

I think that works. You just cant pass an absolute path or a path with a prefix to push. Looking at Prefix, I don't think its possible to push a path with a prefix in the validate function without a : as I think all other variants have characters that cannot be present at that point. I'm not sure how prefixes affect other platforms.

Edit:
Actually, I think its possible to create files with : in them on Windows. However, its not easy; I accidentally created a file called :.txt under WSL, but maybe its easier with UNC paths. NTFS also seems to allow : in file names, but only under the POSIX namespace. Not sure if that's something worth supporting. The alternative to denying : would be something like tower's fix, just ensuring each path component is not understood as a prefix.

[davidpdrsn]

FYI I've filed a rustsec about this for tower-http rustsec/advisory-db#1159. The vulnerable code in tower-http was based on code from warp. Might wanna do the same for warp 👀