fix cache name escape bugsnew-model

2 files changed, 17 insertions, 8 deletions

diff --git a/cache/src/backends/filesystem.rs b/cache/src/backends/filesystem.rs
index 9a9db9c..ec242d2 100644
--- a/cache/src/backends/filesystem.rs
+++ b/cache/src/backends/filesystem.rs
@@ -5,7 +5,7 @@
 */
 
 use crate::{Config, backends::CacheStorage};
-use anyhow::Result;
+use anyhow::{Result, bail};
 use rand::random;
 use std::{
     fs::{File, create_dir_all, rename},
@@ -34,6 +34,9 @@ impl CacheStorage for Filesystem {
         Ok(())
     }
     fn read(&self, key: &str) -> Result<Option<Vec<u8>>> {
+        if key.contains("..") || key.starts_with("/") {
+            bail!("invalid key")
+        }
         match File::open(self.0.join(key)) {
             Ok(mut f) => {
                 let mut data = Vec::new();
diff --git a/cache/src/helper.rs b/cache/src/helper.rs
index 8f73e1e..46ef661 100644
--- a/cache/src/helper.rs
+++ b/cache/src/helper.rs
@@ -31,16 +31,22 @@ impl<T: Hash> Display for HashKey<T> {
     }
 }
 
+const SAFE_CHARS: percent_encoding::AsciiSet = percent_encoding::CONTROLS
+    .add(b'.')
+    .add(b'%')
+    .add(b'/')
+    .add(b'#')
+    .add(b'?')
+    .add(b'@');
+
 pub struct EscapeKey<T>(pub T);
 impl<T: Display> Display for EscapeKey<T> {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(
-            f,
-            "{}",
-            percent_encoding::utf8_percent_encode(
-                &self.0.to_string(),
-                percent_encoding::NON_ALPHANUMERIC,
-            )
+        // TODO perf
+        f.write_str(
+            &percent_encoding::utf8_percent_encode(&self.0.to_string(), &SAFE_CHARS)
+                .to_string()
+                .replace("%", "@"),
         )
     }
 }