Rust

Rust

By DeepSource

Potential path traversal vulnerability due to actix::NamedFile::open(..) RS-S1014

Security

Use of actix::NamedFile::open(..) with non-validated user input can lead to path traversal vulnerability, i.e., a vulnerability that may expose private files on server.

Consider sanitizing all the parameters of a function before using them with high-risk functions like actix::NamedFile::open(..).

Bad practice

fn foo(path: &Path) -> impl Response {
    actix::NamedFile::open(path)
}

Recommended

fn foo(path: &Path) -> impl Response {
    actix::NamedFile::open(sanitize(path))
}