fix(server): prevent serving an already expired file

orhun · Nov 6, 2021 · f078a9a · f078a9a
1 parent 3eee294
commit f078a9a
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 13 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -27,6 +27,7 @@ url = "2.2.2"
 mime = "0.3.16"
 regex = "1.5.4"
 serde_regex = "1.1.0"
+lazy-regex = "2.2.1"
 humantime = "2.1.0"
 glob = "0.3.0"
 ring = "0.16.20"

diff --git a/src/file.rs b/src/file.rs
@@ -45,9 +45,10 @@ impl<'a> TryFrom<&'a Path> for Directory {
 impl Directory {
     /// Returns the file that matches the given checksum.
     pub fn get_file<S: AsRef<str>>(self, sha256sum: S) -> Option<File> {
-        self.files
-            .into_iter()
-            .find(|file| file.sha256sum == sha256sum.as_ref())
+        self.files.into_iter().find(|file| {
+            file.sha256sum == sha256sum.as_ref()
+                && !util::TIMESTAMP_EXTENSION_REGEX.is_match(&file.path.to_string_lossy())
+        })
     }
 }
 

diff --git a/src/paste.rs b/src/paste.rs
@@ -177,7 +177,7 @@ impl Paste {
         let bytes = response.body().limit(payload_limit).await?.to_vec();
         let bytes_checksum = util::sha256_digest(&*bytes)?;
         self.data = bytes;
-        if !config.paste.duplicate_files.unwrap_or(true) {
+        if !config.paste.duplicate_files.unwrap_or(true) && expiry_date.is_none() {
             if let Some(file) =
                 Directory::try_from(config.server.upload_path.as_path())?.get_file(bytes_checksum)
             {

diff --git a/src/server.rs b/src/server.rs
@@ -106,6 +106,7 @@ async fn upload(
             }
             if paste_type != PasteType::Oneshot
                 && paste_type != PasteType::RemoteFile
+                && expiry_date.is_none()
                 && !config.paste.duplicate_files.unwrap_or(true)
             {
                 let bytes_checksum = util::sha256_digest(&*bytes)?;

diff --git a/src/util.rs b/src/util.rs
@@ -1,11 +1,15 @@
 use actix_web::{error, Error as ActixError};
 use glob::glob;
+use lazy_regex::{lazy_regex, Lazy, Regex};
 use ring::digest::{Context, SHA256};
 use std::io::{BufReader, Read};
 use std::path::PathBuf;
 use std::time::Duration;
 use std::time::{SystemTime, UNIX_EPOCH};
 
+/// Regex for matching the timestamp extension of a path.
+pub static TIMESTAMP_EXTENSION_REGEX: Lazy<Regex> = lazy_regex!(r#"\.[0-9]{10,}$"#);
+
 /// Returns the system time as [`Duration`](Duration).
 pub fn get_system_time() -> Result<Duration, ActixError> {
     SystemTime::now()
@@ -17,15 +21,20 @@ pub fn get_system_time() -> Result<Duration, ActixError> {
 ///
 /// The file extension is accepted as a timestamp that points to the expiry date.
 pub fn glob_match_file(mut path: PathBuf) -> Result<PathBuf, ActixError> {
-    if let Some(glob_path) = glob(&format!(
-        "{}.[0-9]*",
-        path.to_str()
-            .ok_or_else(|| error::ErrorInternalServerError(
-                "file name contains invalid characters"
-            ))?,
-    ))
-    .map_err(error::ErrorInternalServerError)?
-    .next()
+    path = PathBuf::from(
+        TIMESTAMP_EXTENSION_REGEX
+            .replacen(
+                path.to_str().ok_or_else(|| {
+                    error::ErrorInternalServerError("path contains invalid characters")
+                })?,
+                1,
+                "",
+            )
+            .to_string(),
+    );
+    if let Some(glob_path) = glob(&format!("{}.[0-9]*", path.to_string_lossy()))
+        .map_err(error::ErrorInternalServerError)?
+        .next()
     {
         let glob_path = glob_path.map_err(error::ErrorInternalServerError)?;
         if let Some(extension) = glob_path