chore(deps): update rust crate actix-files to v0.6.10 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actix-files (source)	workspace.dependencies	patch	0.6.9 → 0.6.10

GitHub Vulnerability Alerts

GHSA-8v2v-wjwg-vx6r

Summary

When passing a non-existing folder to the actix_files::Files::new() method causes the actix server to expose unexpected files.

Details

The actix-files library exposes a Files struct that configures an actix service to serve the files in a folder as static assets. Below you can find the signature of the Files::new method:

pub fn new<T: Into<PathBuf>>(mount_path: &str, serve_from: T) -> Files

When the mount_path you pass to Files doesn't exist, it defaults to an empty path (Path::new()). When the service receives a HTTP request, it joins the request information with the empty path and calls canonicalize. Rust resolves this path as relative and returns any file that matches it.

This behavior causes the library to expose unexpected files when the folder is not present.

PoC

There is a working PoC on https://github.com/Angelmmiguel/actix-files-vuln, although the next steps can be followed to reproduce the issue

1. Clone the https://github.com/actix/examples repository.

2. Change your directory to the basics/static-files folder.

3. Edit the src/main.rs file and change the line 13 to mount a non-existing folder:

   -        .service(Files::new("/images", "static/images/").show_files_listing())
   +        .service(Files::new("/images", "static/missing/").show_files_listing())

4. Run the project with cargo run.

5. Access the http://localhost:8080/images/Cargo.toml URL.

Impact

This is an exposure of information vulnerability. It affects anyone using the actix-files::Files library that mounts a non-existing folder for any reason.

GHSA-gcqf-3g44-vc9p

Summary

A GET request for a static file served by actix-files with an empty Range header triggers a panic. With panic = "abort", a remote user may crash the process on-demand.

Details

actix-files assumes that HttpRange::parse(), when Ok, always returns a vector with at least one element. When parse() is called on an empty string, it returns Ok(vec![]). This can cause a panic at named.rs:534 when handling an HTTP request with an empty Range: header. This shouldn't significantly impact programs built with the default panic = "unwind", as the only effect is that the connection is closed when the worker thread panics and new threads are spooled up on demand. Programs built with panic = "abort" are vulnerable to being crashed on-demand by any user with permissions to perform a GET request for a static file served by actix-files.
https://github.com/actix/actix-web/blob/0383f4bdd1210e726143ca1ebcf01169b67a4b6c/actix-files/src/named.rs#L530-L535

PoC

Minimal reproduction

Cargo.toml:

[package]
name = "example"
version = "0.1.0"
edition = "2021"

[dependencies]
actix-web = "=4.5.1"
actix-files = "=0.6.5"

[profile.dev]
panic = "abort"

src/main.rs:

use actix_files::NamedFile;
use actix_web::{get, Responder};

#[get("/")]
async fn index() -> impl Responder {
    NamedFile::open("test_file")
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    use actix_web::{App, HttpServer};

    HttpServer::new(|| App::new().service(index))
        .bind(("127.0.0.1", 8080))?
        .run()
        .await
}

test.sh:

#!/bin/bash

echo foo > test_file
cargo b
cargo r&
sleep 1
nc 127.0.0.1 8080 << EOF
GET / HTTP/1.1
Range:

EOF
kill %1

Create these files, then run chmod +x test.sh && ./test.sh. The server should start, then crash upon receiving the GET request from netcat.

This assumes a reasonably UNIX-like system with Rust, bash and netcat installed.

Impact

It is believed that only programs compiled with panic = "abort" are affected significantly. The only potential impact that can be seen is Denial of Service, though an attacker able to repeatedly send GET requests without those requests getting blocked by rate limiting, DDoS protection, etc. would be able to keep a server down indefinitely. As only a single unblocked request is needed to trigger the panic, merely having a rate limiter may not be enough to prevent this.

Though the impact in the worst case is significant, the real-world risk of this vulnerability appears to be limited, as it would be expected that anyone for whom uptime is a significant concern would not compile their program with panic = "abort".

---

Release Notes

actix/actix-web (actix-files)

v0.6.10: Actix web 0.6.10

Compare Source

Changes

Added

• Allow to use path without traling slashes for scope registration #​241

• Allow to set encoding for exact NamedFile #​239

Fixed

• TestServer::post() actually sends GET request #​240

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.