Struct fs_mistrust::CheckedDir

source · 
pub struct CheckedDir { /* private fields */ }
Expand description

A directory whose access properties we have verified, along with accessor functions to access members of that directory.

The accessor functions will enforce that whatever security properties we checked on the directory also apply to all of the members that we access within the directory.

§Limitations

Having a CheckedDir means only that, at the time it was created, we were confident that no untrusted user could access it inappropriately. It is still possible, after the CheckedDir is created, that a trusted user can alter its permissions, make its path point somewhere else, or so forth.

If this kind of time-of-use/time-of-check issue is unacceptable, you may wish to look at other solutions, possibly involving openat() or related APIs.

See also the crate-level Limitations section.

Implementations§

source§

impl CheckedDir

source

pub fn make_directory<P: AsRef<Path>>(&self, path: P) -> Result<()>

Construct a new directory within this CheckedDir, if it does not already exist.

path must be a relative path to the new directory, containing no .. components.

source

pub fn make_secure_directory<P: AsRef<Path>>( &self, path: P ) -> Result<CheckedDir>

Construct a new CheckedDir within this CheckedDir

Creates the directory if it does not already exist.

path must be a relative path to the new directory, containing no .. components.

source

pub fn open<P: AsRef<Path>>( &self, path: P, options: &OpenOptions ) -> Result<File>

Open a file within this CheckedDir, using a set of OpenOptions.

path must be a relative path to the new directory, containing no .. components. We check, but do not create, the file’s parent directories. We check the file’s permissions after opening it. If the file already exists, it must not be a symlink.

If the file is created (and this is a unix-like operating system), we always create it with mode 600, regardless of any mode options set in options.

source

pub fn read_directory<P: AsRef<Path>>(&self, path: P) -> Result<ReadDir>

List the contents of a directory within this CheckedDir.

path must be a relative path, containing no .. components. Before listing the directory, we verify that that no untrusted user is able change its contents or make it point somewhere else.

The return value is an iterator as returned by std::fs::ReadDir. We do not check any properties of the elements of this iterator.

source

pub fn remove_file<P: AsRef<Path>>(&self, path: P) -> Result<()>

Remove a file within this CheckedDir.

path must be a relative path, containing no .. components.

Note that we ensure that the parent of the file to be removed is unmodifiable by any untrusted user, but we do not check any permissions on the file itself, since those are irrelevant to removing it.

source

pub fn as_path(&self) -> &Path

Return a reference to this directory as a Path.

Note that this function lets you work with a broader collection of functions, including functions that might let you access or create a file that is accessible by non-trusted users. Be careful!

source

pub fn join<P: AsRef<Path>>(&self, path: P) -> Result<PathBuf>

Return a new PathBuf containing this directory’s path, with path appended to it.

Return an error if path has any components that could take us outside of this directory.

source

pub fn read_to_string<P: AsRef<Path>>(&self, path: P) -> Result<String>

Read the contents of the file at path within this directory, as a String, if possible.

Return an error if path is absent, if its permissions are incorrect, if it has any components that could take us outside of this directory, or if its contents are not UTF-8.

source

pub fn read<P: AsRef<Path>>(&self, path: P) -> Result<Vec<u8>>

Read the contents of the file at path within this directory, as a vector of bytes, if possible.

Return an error if path is absent, if its permissions are incorrect, or if it has any components that could take us outside of this directory.

source

pub fn write_and_replace<P: AsRef<Path>, C: AsRef<[u8]>>( &self, path: P, contents: C ) -> Result<()>

Store contents into the file located at path within this directory.

We won’t write to path directly: instead, we’ll write to a temporary file in the same directory as path, and then replace path with that temporary file if we were successful. (This isn’t truly atomic on all file systems, but it’s closer than many alternatives.)

§Limitations

This function will clobber any existing files with the same name as path but with the extension tmp. (That is, if you are writing to “foo.txt”, it will replace “foo.tmp” in the same directory.)

This function may give incorrect behavior if multiple threads or processes are writing to the same file at the same time: it is the programmer’s responsibility to use appropriate locking to avoid this.

source

pub fn verifier(&self) -> Verifier<'_>

Create a Verifier with the appropriate rules for this CheckedDir.

Trait Implementations§

source§

impl Clone for CheckedDir

source§

fn clone(&self) -> CheckedDir

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for CheckedDir

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> ToOwned for T
where T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.