git-echo/linux_patch_api
Private
Public Access
1
0
Fork 0
Code Releases 32 Wiki Activity

Fix clippy warnings: remove unused imports/variables/functions, derive Default, fix comparisons
Some checks failed
CI/CD Pipeline / Code Format (push) Failing after 12s
Details
CI/CD Pipeline / Clippy Lints (push) Failing after 5m34s
Details
CI/CD Pipeline / Unit Tests (push) Failing after 10m51s
Details
CI/CD Pipeline / Build Debian Package (push) Failing after 1s
Details
CI/CD Pipeline / Build RPM Package (push) Failing after 1s
Details
CI/CD Pipeline / Build Alpine Package (push) Failing after 2s
Details
CI/CD Pipeline / Build Arch Package (push) Failing after 2s
Details
CI/CD Pipeline / Create Release (push) Has been skipped
Details
CI/CD Pipeline / Security Audit (push) Failing after 15m40s
Details

Browse Source
This commit is contained in:
Echo
2026-04-12 15:23:02 +00:00
parent 2857f06280
commit f1a76e33f3
39 changed files with 589 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
src/api/handlers/system.rs
View File

@ -8,40 +8,15 @@
use actix_web::{web, HttpRequest, HttpResponse, Responder};
use chrono::Utc;
use serde::{Deserialize, Serialize};
use tracing::{error, info, warn};
use tracing::{error, info};
use uuid::Uuid;
use super::packages::{ApiResponse, JobResponseData};
use super::packages::ApiResponse;
use crate::jobs::manager::{JobManager, JobOperation, JobStatus};
use crate::packages::PackageManagerBackend;
/// Normalize and validate file paths to prevent path traversal attacks (VULN-002)
/// Returns None if path contains traversal patterns
fn normalize_path(path: &str) -> Option<String> {
// Reject obvious traversal patterns
if path.contains("..") || path.contains("//") {
return None;
}
// Decode common URL-encoded traversal attempts
let decoded = path
.replace("%2e", ".")
.replace("%2E", ".")
.replace("%2f", "/")
.replace("%2F", "/")
.replace("%5c", "\\")
.replace("%5C", "\\");
// Check decoded path for traversal
if decoded.contains("..") || decoded.contains("//") || decoded.contains("\\") {
return None;
}
// Ensure path starts with expected prefix or is relative
Some(path.to_string())
}
/// Validate path input for traversal attacks
fn validate_path_no_traversal(path: &str) -> bool {
normalize_path(path).is_some()
}
@ -82,7 +57,7 @@ pub async fn get_system_info(
_req: HttpRequest,
) -> impl Responder {
let request_id = Uuid::new_v4().to_string();
let timestamp = Utc::now().to_rfc3339();
let _timestamp = Utc::now().to_rfc3339();
info!(request_id = %request_id, "Getting system information");
@ -116,8 +91,8 @@ pub async fn get_system_info(
/// Health check endpoint
pub async fn health_check(_req: HttpRequest) -> impl Responder {
let request_id = Uuid::new_v4().to_string();
let timestamp = Utc::now().to_rfc3339();
let _request_id = Uuid::new_v4().to_string();
let _timestamp = Utc::now().to_rfc3339();
// Calculate uptime from /proc/uptime
let uptime_seconds = std::fs::read_to_string("/proc/uptime")
@ -150,7 +125,7 @@ pub async fn reboot_system(
_req: HttpRequest,
) -> impl Responder {
let request_id = Uuid::new_v4().to_string();
let timestamp = Utc::now().to_rfc3339();
let _timestamp = Utc::now().to_rfc3339();
let delay = body.delay_seconds;
let force = body.force;