fix file loading from database

Author: lovasoa

src/file_cache.rs

@@ -105,7 +105,7 @@ impl<T: AsyncFromStrWithState> FileCache<T> {
             .file_system
             .read_file(app_state, path)
             .await
-            .with_context(|| format!("Reading {path:?} to load it in cache"));
+            .with_context(|| format!("Couldn't load {path:?} into cache"));
         let parsed = match file_contents {
             Ok(contents) => Ok(T::from_str_with_state(app_state, &contents).await?),
             Err(e) => Err(e),

src/filesystem.rs

@@ -6,17 +6,17 @@ use sqlx::any::{AnyKind, AnyStatement, AnyTypeInfo};
 use sqlx::postgres::types::PgTimeTz;
 use sqlx::{Postgres, Statement, Type};
 use std::io::ErrorKind;
-use std::path::{Path, PathBuf};
+use std::path::{Component, Path, PathBuf};
 
 pub(crate) struct FileSystem {
     local_root: PathBuf,
     db_fs_queries: Option<DbFsQueries>,
 }
 
 impl FileSystem {
-    pub async fn init(db: &Database) -> Self {
+    pub async fn init(local_root: &Path, db: &Database) -> Self {
         Self {
-            local_root: PathBuf::new(),
+            local_root: PathBuf::from(local_root),
             db_fs_queries: match DbFsQueries::init(db).await {
                 Ok(q) => Some(q),
                 Err(e) => {
@@ -37,7 +37,8 @@ impl FileSystem {
         path: &Path,
         since: DateTime<Utc>,
     ) -> anyhow::Result<bool> {
-        let local_result = file_modified_since_local(&self.local_root.join(path), since).await;
+        let local_path = self.safe_local_path(path)?;
+        let local_result = file_modified_since_local(&local_path, since).await;
         match (local_result, &self.db_fs_queries) {
             (Ok(modified), _) => Ok(modified),
             (Err(e), Some(db_fs)) if e.kind() == ErrorKind::NotFound => {
@@ -53,7 +54,8 @@ impl FileSystem {
     }
 
     pub async fn read_file(&self, app_state: &AppState, path: &Path) -> anyhow::Result<String> {
-        let local_result = tokio::fs::read_to_string(&self.local_root.join(path)).await;
+        let local_path = self.safe_local_path(path)?;
+        let local_result = tokio::fs::read_to_string(&local_path).await;
         match (local_result, &self.db_fs_queries) {
             (Ok(f), _) => Ok(f),
             (Err(e), Some(db_fs)) if e.kind() == ErrorKind::NotFound => {
@@ -63,6 +65,14 @@ impl FileSystem {
             (Err(e), _) => Err(e).with_context(|| format!("Unable to read local file {path:?}")),
         }
     }
+
+    fn safe_local_path(&self, path: &Path) -> anyhow::Result<PathBuf> {
+        anyhow::ensure!(
+            path.components().all(|c| matches!(c, Component::Normal(_))),
+            "Unsupported path: {path:?}"
+        );
+        Ok(self.local_root.join(path))
+    }
 }
 
 async fn file_modified_since_local(path: &Path, since: DateTime<Utc>) -> tokio::io::Result<bool> {

src/main.rs

@@ -17,7 +17,6 @@ use std::net::{SocketAddr, ToSocketAddrs};
 use std::path::PathBuf;
 use templates::AllTemplates;
 
-const WEB_ROOT: &str = ".";
 const CONFIG_DIR: &str = "sqlpage";
 const TEMPLATES_DIR: &str = "sqlpage/templates";
 const MIGRATIONS_DIR: &str = "sqlpage/migrations";
@@ -39,9 +38,9 @@ impl AppState {
         let db = Database::init(&database_url).await?;
         log::info!("Connecting to database: {database_url}");
         let all_templates = AllTemplates::init()?;
-        let web_root = std::fs::canonicalize(WEB_ROOT)?;
+        let web_root = get_web_root();
         let sql_file_cache = FileCache::new();
-        let file_system = FileSystem::init(&db).await;
+        let file_system = FileSystem::init(&web_root, &db).await;
         Ok(AppState {
             db,
             all_templates,
@@ -52,6 +51,13 @@ impl AppState {
     }
 }
 
+fn get_web_root() -> PathBuf {
+    env::var("WEB_ROOT").map_or_else(
+        |_| PathBuf::from(&std::path::Component::CurDir),
+        PathBuf::from,
+    )
+}
+
 pub struct Config {
     listen_on: SocketAddr,
 }

src/webserver/database/mod.rs

@@ -218,7 +218,7 @@ impl Database {
         );
         let connection = AnyPool::connect_with(connect_options)
             .await
-            .with_context(|| format!("Unable to open connection to {}", database_url))?;
+            .with_context(|| format!("Unable to open connection to {database_url}"))?;
         Ok(Database { connection })
     }
 }

src/webserver/http.rs

@@ -19,7 +19,7 @@ use std::collections::HashMap;
 use std::io::Write;
 use std::mem;
 use std::net::IpAddr;
-use std::path::{Component, Path, PathBuf};
+use std::path::{Component, PathBuf};
 use std::pin::Pin;
 use std::sync::Arc;
 use tokio::sync::mpsc;
@@ -306,22 +306,15 @@ async fn extract_request_info(req: &mut ServiceRequest) -> RequestInfo {
 }
 
 /// Resolves the path in a query to the path to a local SQL file if there is one that matches
-fn path_to_sql_file(root: &Path, path: &str) -> Option<PathBuf> {
-    let mut path_buf: PathBuf = PathBuf::from(root);
-    path_buf.push(path.strip_prefix('/')?);
-    let request_path = PathBuf::from(path);
-    let extension = request_path.extension();
-    if !matches!(extension, Some(ext) if ext.eq_ignore_ascii_case("sql")) {
-        path_buf.push("index.sql");
-        if !path_buf.is_file() {
-            return None;
+fn path_to_sql_file(path: &str) -> Option<PathBuf> {
+    let mut path = PathBuf::from(path.strip_prefix('/').unwrap_or(path));
+    match path.extension() {
+        None => {
+            path.push("index.sql");
+            Some(path)
         }
-    }
-    let final_path = path_buf.canonicalize().ok()?;
-    if final_path.starts_with(root) {
-        Some(final_path)
-    } else {
-        None
+        Some(ext) if ext == "sql" => Some(path),
+        Some(_other) => None,
     }
 }
 
@@ -334,7 +327,11 @@ async fn process_sql_request(
         .sql_file_cache
         .get(app_state, &sql_path)
         .await
-        .map_err(ErrorInternalServerError)?;
+        .map_err(|e| {
+            ErrorInternalServerError(format!(
+                "An error occurred while trying to handle your request: {e:#}"
+            ))
+        })?;
     let response = render_sql(&mut req, sql_file).await?;
     Ok(req.into_response(response))
 }
@@ -365,8 +362,7 @@ pub fn create_app(
     App::new()
             .route("sqlpage.js", web::get().to(handle_static_js))
             .wrap_fn(|req, srv| {
-                let app_state: web::Data<AppState> = web::Data::clone(req.app_data().expect("app_state"));
-                let sql_file_path = path_to_sql_file(&app_state.web_root, req.path());
+                let sql_file_path = path_to_sql_file(req.path());
                 let sql_file = if let Some(sql_path) = sql_file_path {
                     Ok((req, sql_path))
                 } else {
@@ -381,7 +377,6 @@ pub fn create_app(
             })
             .default_service(
                 actix_files::Files::new("/", &app_state.web_root)
-                    .index_file("index.sql")
                     .path_filter(|path, _|
                         !matches!(path.components().next(), Some(Component::Normal(x)) if x == CONFIG_DIR))
                     .show_files_listing()