net/

local_directory_listing.rs

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at https://mozilla.org/MPL/2.0/. */

use std::fs::Metadata;
use std::path::PathBuf;

use chrono::{DateTime, Local};
use embedder_traits::resources::{Resource, read_string};
use headers::{ContentType, HeaderMapExt};
use net_traits::request::Request;
use net_traits::response::{Response, ResponseBody};
use net_traits::{NetworkError, ResourceFetchTiming};
use servo_config::pref;
use servo_url::ServoUrl;
use url::Url;

pub(crate) async fn fetch(request: &mut Request, url: ServoUrl, path_buf: PathBuf) -> Response {
    if !pref!(network_local_directory_listing_enabled) {
        // If you want to be able to browse local directories, configure Servo prefs so that
        // "network.local_directory_listing.enabled" is set to true.
        return Response::network_error(NetworkError::LocalDirectoryError);
    }

    if !request.origin.is_opaque() {
        // Checking for an opaque origin as a shorthand for user activation
        // as opposed to a request originating from a script.
        // TODO(32534): carefully consider security of this approach.
        return Response::network_error(NetworkError::LocalDirectoryError);
    }

    let directory_contents = match tokio::fs::read_dir(path_buf.clone()).await {
        Ok(directory_contents) => directory_contents,
        Err(error) => {
            return Response::network_error(NetworkError::ResourceLoadError(format!(
                "Unable to access directory: {error}"
            )));
        },
    };

    let output = build_html_directory_listing(url.as_url(), path_buf, directory_contents).await;

    let mut response = Response::new(url, ResourceFetchTiming::new(request.timing_type()));
    response.headers.typed_insert(ContentType::html());
    *response.body.lock() = ResponseBody::Done(output.into_bytes());

    response
}

/// Returns an the string of an JavaScript `<script>` tag calling the `setData` function with the
/// contents of the given [`ReadDir`] directory listing.
///
/// # Arguments
///
/// * `url` - the original URL of the request that triggered this directory listing.
/// * `path` - the full path to the local directory.
/// * `directory_contents` - a [`ReadDir`] with the contents of the directory.
pub(crate) async fn build_html_directory_listing(
    url: &Url,
    path: PathBuf,
    mut directory_contents: tokio::fs::ReadDir,
) -> String {
    let mut page_html = String::with_capacity(1024);
    page_html.push_str("<!DOCTYPE html>");

    let mut parent_url_string = String::new();
    if path.parent().is_some() {
        let mut parent_url = url.clone();
        if let Ok(mut path_segments) = parent_url.path_segments_mut() {
            path_segments.pop();
        }
        parent_url.as_str().clone_into(&mut parent_url_string);
    }

    page_html.push_str(&read_string(Resource::DirectoryListingHTML));

    page_html.push_str("<script>\n");
    page_html.push_str(&format!(
        "setData({:?}, {:?}, [",
        url.as_str(),
        parent_url_string
    ));

    while let Ok(Some(directory_entry)) = directory_contents.next_entry().await {
        let Ok(metadata) = directory_entry.metadata().await else {
            continue;
        };
        write_directory_entry(directory_entry, metadata, url, &mut page_html);
    }

    page_html.push_str("]);");
    page_html.push_str("</script>\n");

    page_html
}

fn write_directory_entry(
    entry: tokio::fs::DirEntry,
    metadata: Metadata,
    url: &Url,
    output: &mut String,
) {
    let Ok(name) = entry.file_name().into_string() else {
        return;
    };

    let mut file_url = url.clone();
    {
        let Ok(mut path_segments) = file_url.path_segments_mut() else {
            return;
        };
        path_segments.push(&name);
    }

    let class = if metadata.is_dir() {
        "directory"
    } else if metadata.is_symlink() {
        "symlink"
    } else {
        "file"
    };

    let file_url_string = &file_url.to_string();
    let file_size = metadata_to_file_size_string(&metadata);
    let last_modified = metadata
        .modified()
        .map(DateTime::<Local>::from)
        .map(|time| time.format("%F %r").to_string())
        .unwrap_or_default();

    // The file name is the only value here that reaches the page unencoded; the
    // url crate percent-encodes `<`/`>` in `file_url_string`, and the remaining
    // fields are produced by us. `{:?}` is not enough on its own because it
    // leaves `</script>` intact inside the script element below.
    let name = script_string_literal(&name);
    output.push_str(&format!(
        "[{class:?}, {name}, {file_url_string:?}, {file_size:?}, {last_modified:?}],"
    ));
}

/// Serialise `value` as a JavaScript string literal that is safe to embed in the
/// inline `<script>` element of the directory listing. `{:?}` produces a valid
/// literal but leaves any `<` (and therefore `</script>`) untouched, which lets a
/// crafted file name close the script element and inject markup into the page.
fn script_string_literal(value: &str) -> String {
    format!("{value:?}").replace('<', "\\u003C")
}

pub fn metadata_to_file_size_string(metadata: &Metadata) -> String {
    if !metadata.is_file() {
        return String::new();
    }

    let mut float_size = metadata.len() as f64;
    let mut prefix_power = 0;
    while float_size > 1000.0 && prefix_power < 3 {
        float_size /= 1000.0;
        prefix_power += 1;
    }

    let prefix = match prefix_power {
        0 => "B",
        1 => "KB",
        2 => "MB",
        _ => "GB",
    };

    format!("{:.2} {prefix}", float_size)
}

#[cfg(test)]
mod tests {
    use super::script_string_literal;

    #[test]
    fn script_string_literal_neutralises_script_close() {
        let literal = script_string_literal("a</script><img src=x onerror=alert(1)>b");
        assert!(!literal.contains('<'));
        assert!(!literal.to_lowercase().contains("</script"));
    }

    #[test]
    fn script_string_literal_keeps_debug_escaping() {
        // Quotes and backslashes from the input stay escaped so the result is
        // still a valid JavaScript string literal.
        assert_eq!(script_string_literal("a\"b\\c"), r#""a\"b\\c""#);
        assert_eq!(script_string_literal("plain"), r#""plain""#);
    }
}