Rust: tainted path implement basic sanitizers

aibaars · aibaars · commit 81af324d42e4 · 2025-03-13T18:47:16.000+01:00
diff --git a/rust/ql/lib/codeql/rust/Concepts.qll b/rust/ql/lib/codeql/rust/Concepts.qll
@@ -8,6 +8,8 @@ private import codeql.rust.dataflow.DataFlow
 private import codeql.threatmodels.ThreatModels
 private import codeql.rust.Frameworks
 private import codeql.rust.dataflow.FlowSource
+private import codeql.rust.controlflow.ControlFlowGraph as Cfg
+private import codeql.rust.controlflow.CfgNodes as CfgNodes
 
 /**
  * A data flow source for a specific threat-model.
@@ -264,3 +266,44 @@ module Cryptography {
 
   class CryptographicAlgorithm = SC::CryptographicAlgorithm;
 }
+
+/** Provides classes for modeling path-related APIs. */
+module Path {
+  /**
+   * A data-flow node that performs path normalization. This is often needed in order
+   * to safely access paths.
+   */
+  class PathNormalization extends DataFlow::Node instanceof PathNormalization::Range {
+    /** Gets an argument to this path normalization that is interpreted as a path. */
+    DataFlow::Node getPathArg() { result = super.getPathArg() }
+  }
+
+  /** Provides a class for modeling new path normalization APIs. */
+  module PathNormalization {
+    /**
+     * A data-flow node that performs path normalization. This is often needed in order
+     * to safely access paths.
+     */
+    abstract class Range extends DataFlow::Node {
+      /** Gets an argument to this path normalization that is interpreted as a path. */
+      abstract DataFlow::Node getPathArg();
+    }
+  }
+
+  class SafeAccessCheck extends DataFlow::ExprNode {
+    SafeAccessCheck() { this = DataFlow::BarrierGuard<safeAccessCheck/3>::getABarrierNode() }
+  }
+
+  private predicate safeAccessCheck(CfgNodes::AstCfgNode g, Cfg::CfgNode node, boolean branch) {
+    g.(SafeAccessCheck::Range).checks(node, branch)
+  }
+
+  /** Provides a class for modeling new path safety checks. */
+  module SafeAccessCheck {
+    /** A data-flow node that checks that a path is safe to access. */
+    abstract class Range extends CfgNodes::AstCfgNode {
+      /** Holds if this guard validates `node` upon evaluating to `branch`. */
+      abstract predicate checks(Cfg::CfgNode node, boolean branch);
+    }
+  }
+}
diff --git a/rust/ql/lib/codeql/rust/Frameworks.qll b/rust/ql/lib/codeql/rust/Frameworks.qll
@@ -6,3 +6,4 @@ private import codeql.rust.frameworks.rustcrypto.RustCrypto
 private import codeql.rust.frameworks.Poem
 private import codeql.rust.frameworks.Sqlx
 private import codeql.rust.frameworks.stdlib.Clone
+private import codeql.rust.frameworks.stdlib.Stdlib
diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/Stdlib.qll b/rust/ql/lib/codeql/rust/frameworks/stdlib/Stdlib.qll
@@ -0,0 +1,34 @@
+private import rust
+private import codeql.rust.Concepts
+private import codeql.rust.controlflow.ControlFlowGraph as Cfg
+private import codeql.rust.controlflow.CfgNodes as CfgNodes
+private import codeql.rust.dataflow.DataFlow
+
+/**
+ * A call to the `starts_with` method on a `Path`.
+ */
+private class StartswithCall extends Path::SafeAccessCheck::Range, CfgNodes::MethodCallExprCfgNode {
+  StartswithCall() {
+    this.getAstNode().(Resolvable).getResolvedPath() = "<crate::path::Path>::starts_with"
+  }
+
+  override predicate checks(Cfg::CfgNode e, boolean branch) {
+    e = this.getReceiver() and
+    branch = true
+  }
+}
+
+/**
+ * A call to `Path.canonicalize`.
+ * See https://doc.rust-lang.org/std/path/struct.Path.html#method.canonicalize
+ */
+private class PathCanonicalizeCall extends Path::PathNormalization::Range {
+  CfgNodes::MethodCallExprCfgNode call;
+
+  PathCanonicalizeCall() {
+    call = this.asExpr() and
+    call.getAstNode().(Resolvable).getResolvedPath() = "<crate::path::Path>::canonicalize"
+  }
+
+  override DataFlow::Node getPathArg() { result.asExpr() = call.getReceiver() }
+}
diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml b/rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml
@@ -16,3 +16,4 @@ extensions:
       - ["lang:std", "<crate::path::PathBuf as crate::convert::From>::from", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["lang:std", "<crate::path::Path>::join", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["lang:std", "<crate::path::Path>::join", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "<crate::path::Path>::canonicalize", "Argument[self]", "ReturnValue.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml b/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml
@@ -32,3 +32,6 @@ extensions:
       - ["lang:alloc", "<crate::string::String>::as_str", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["lang:alloc", "<crate::string::String>::as_bytes", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["lang:alloc", "<_ as crate::string::ToString>::to_string", "Argument[self]", "ReturnValue", "taint", "manual"]
+      # Result
+      - ["lang:core", "<crate::result::Result>::unwrap", "Argument[self]", "ReturnValue", "taint", "manual"]
+
diff --git a/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll b/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll
@@ -7,6 +7,8 @@ private import codeql.rust.dataflow.DataFlow
 private import codeql.rust.dataflow.TaintTracking
 private import codeql.rust.Concepts
 private import codeql.rust.dataflow.internal.DataFlowImpl
+private import codeql.rust.controlflow.ControlFlowGraph as Cfg
+private import codeql.rust.controlflow.CfgNodes as CfgNodes
 
 /**
  * Provides default sources, sinks and barriers for detecting path injection
@@ -28,6 +30,10 @@ module TaintedPath {
    */
   abstract class Barrier extends DataFlow::Node { }
 
+  class SanitizerGuard extends DataFlow::Node {
+    SanitizerGuard() { this = DataFlow::BarrierGuard<sanitizerGuard/3>::getABarrierNode() }
+  }
+
   /**
    * An active threat-model source, considered as a flow source.
    */
@@ -38,3 +44,33 @@ module TaintedPath {
     ModelsAsDataSinks() { sinkNode(this, "path-injection") }
   }
 }
+
+private predicate sanitizerGuard(CfgNodes::AstCfgNode g, Cfg::CfgNode node, boolean branch) {
+  g.(SanitizerGuard::Range).checks(node, branch)
+}
+
+/** Provides a class for modeling new path safety checks. */
+module SanitizerGuard {
+  /** A data-flow node that checks that a path is safe to access. */
+  abstract class Range extends CfgNodes::AstCfgNode {
+    /** Holds if this guard validates `node` upon evaluating to `branch`. */
+    abstract predicate checks(Cfg::CfgNode node, boolean branch);
+  }
+}
+
+/**
+ * A check of the form `!strings.Contains(nd, "..")`, considered as a sanitizer guard for
+ * path traversal.
+ */
+private class DotDotCheck extends SanitizerGuard::Range, CfgNodes::MethodCallExprCfgNode {
+  DotDotCheck() {
+    this.getAstNode().(Resolvable).getResolvedPath() = "<str>::contains" and
+    this.getArgument(0).getAstNode().(LiteralExpr).getTextValue() =
+      ["\"..\"", "\"../\"", "\"..\\\""]
+  }
+
+  override predicate checks(Cfg::CfgNode e, boolean branch) {
+    e = this.getReceiver() and
+    branch = false
+  }
+}
diff --git a/rust/ql/src/queries/security/CWE-022/TaintedPath.ql b/rust/ql/src/queries/security/CWE-022/TaintedPath.ql
@@ -19,19 +19,72 @@ import codeql.rust.dataflow.DataFlow
 import codeql.rust.dataflow.TaintTracking
 import codeql.rust.security.TaintedPathExtensions
 import TaintedPathFlow::PathGraph
+private import codeql.rust.Concepts
+
+abstract private class NormalizationState extends string {
+  bindingset[this]
+  NormalizationState() { any() }
+}
+
+/** A state signifying that the file path has not been normalized. */
+class NotNormalized extends NormalizationState {
+  NotNormalized() { this = "NotNormalized" }
+}
+
+/** A state signifying that the file path has been normalized, but not checked. */
+class NormalizedUnchecked extends NormalizationState {
+  NormalizedUnchecked() { this = "NormalizedUnchecked" }
+}
 
 /**
- * A taint configuration for tainted data that reaches a file access sink.
+ * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
+ * to track the requirement that a file path must be first normalized and then checked
+ * before it is safe to use.
+ *
+ * At sources, paths are assumed not normalized. At normalization points, they change
+ * state to `NormalizedUnchecked` after which they can be made safe by an appropriate
+ * check of the prefix.
+ *
+ * Such checks are ineffective in the `NotNormalized` state.
  */
-module TaintedPathConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node node) { node instanceof TaintedPath::Source }
+module TaintedPathConfig implements DataFlow::StateConfigSig {
+  class FlowState = NormalizationState;
+
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source instanceof TaintedPath::Source and state instanceof NotNormalized
+  }
+
+  predicate isSink(DataFlow::Node sink, FlowState state) {
+    sink instanceof TaintedPath::Sink and
+    (
+      state instanceof NotNormalized or
+      state instanceof NormalizedUnchecked
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof TaintedPath::Barrier or node instanceof TaintedPath::SanitizerGuard
+  }
 
-  predicate isSink(DataFlow::Node node) { node instanceof TaintedPath::Sink }
+  predicate isBarrier(DataFlow::Node node, FlowState state) {
+    // Block `NotNormalized` paths here, since they change state to `NormalizedUnchecked`
+    node instanceof Path::PathNormalization and
+    state instanceof NotNormalized
+    or
+    node instanceof Path::SafeAccessCheck and
+    state instanceof NormalizedUnchecked
+  }
 
-  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof TaintedPath::Barrier }
+  predicate isAdditionalFlowStep(
+    DataFlow::Node nodeFrom, FlowState stateFrom, DataFlow::Node nodeTo, FlowState stateTo
+  ) {
+    nodeFrom = nodeTo.(Path::PathNormalization).getPathArg() and
+    stateFrom instanceof NotNormalized and
+    stateTo instanceof NormalizedUnchecked
+  }
 }
 
-module TaintedPathFlow = TaintTracking::Global<TaintedPathConfig>;
+module TaintedPathFlow = TaintTracking::GlobalWithState<TaintedPathConfig>;
 
 from TaintedPathFlow::PathNode source, TaintedPathFlow::PathNode sink
 where TaintedPathFlow::flowPath(source, sink)
diff --git a/rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected b/rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected
@@ -1,46 +1,57 @@
 #select
 | src/main.rs:10:5:10:22 | ...::read_to_string | src/main.rs:6:11:6:19 | file_name | src/main.rs:10:5:10:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:6:11:6:19 | file_name | user-provided value |
-| src/main.rs:22:5:22:22 | ...::read_to_string | src/main.rs:15:11:15:19 | file_name | src/main.rs:22:5:22:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:15:11:15:19 | file_name | user-provided value |
-| src/main.rs:35:5:35:22 | ...::read_to_string | src/main.rs:27:11:27:19 | file_path | src/main.rs:35:5:35:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:27:11:27:19 | file_path | user-provided value |
+| src/main.rs:45:5:45:22 | ...::read_to_string | src/main.rs:37:11:37:19 | file_path | src/main.rs:45:5:45:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:37:11:37:19 | file_path | user-provided value |
+| src/main.rs:59:5:59:22 | ...::read_to_string | src/main.rs:50:11:50:19 | file_path | src/main.rs:59:5:59:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:50:11:50:19 | file_path | user-provided value |
 edges
 | src/main.rs:6:11:6:19 | file_name | src/main.rs:8:35:8:43 | file_name | provenance |  |
 | src/main.rs:8:9:8:17 | file_path | src/main.rs:10:24:10:32 | file_path | provenance |  |
 | src/main.rs:8:21:8:44 | ...::from(...) | src/main.rs:8:9:8:17 | file_path | provenance |  |
-| src/main.rs:8:35:8:43 | file_name | src/main.rs:8:21:8:44 | ...::from(...) | provenance | MaD:3 |
+| src/main.rs:8:35:8:43 | file_name | src/main.rs:8:21:8:44 | ...::from(...) | provenance | MaD:4 |
 | src/main.rs:10:24:10:32 | file_path | src/main.rs:10:5:10:22 | ...::read_to_string | provenance | MaD:1 Sink:MaD:1 |
-| src/main.rs:15:11:15:19 | file_name | src/main.rs:21:35:21:43 | file_name | provenance |  |
-| src/main.rs:21:9:21:17 | file_path | src/main.rs:22:24:22:32 | file_path | provenance |  |
-| src/main.rs:21:21:21:44 | ...::from(...) | src/main.rs:21:9:21:17 | file_path | provenance |  |
-| src/main.rs:21:35:21:43 | file_name | src/main.rs:21:21:21:44 | ...::from(...) | provenance | MaD:3 |
-| src/main.rs:22:24:22:32 | file_path | src/main.rs:22:5:22:22 | ...::read_to_string | provenance | MaD:1 Sink:MaD:1 |
-| src/main.rs:27:11:27:19 | file_path | src/main.rs:30:52:30:60 | file_path | provenance |  |
-| src/main.rs:30:9:30:17 | file_path | src/main.rs:35:24:35:32 | file_path | provenance |  |
-| src/main.rs:30:21:30:62 | public_path.join(...) | src/main.rs:30:9:30:17 | file_path | provenance |  |
-| src/main.rs:30:38:30:61 | ...::from(...) | src/main.rs:30:21:30:62 | public_path.join(...) | provenance | MaD:2 |
-| src/main.rs:30:52:30:60 | file_path | src/main.rs:30:38:30:61 | ...::from(...) | provenance | MaD:3 |
-| src/main.rs:35:24:35:32 | file_path | src/main.rs:35:5:35:22 | ...::read_to_string | provenance | MaD:1 Sink:MaD:1 |
+| src/main.rs:37:11:37:19 | file_path | src/main.rs:40:52:40:60 | file_path | provenance |  |
+| src/main.rs:40:9:40:17 | file_path | src/main.rs:45:24:45:32 | file_path | provenance |  |
+| src/main.rs:40:21:40:62 | public_path.join(...) | src/main.rs:40:9:40:17 | file_path | provenance |  |
+| src/main.rs:40:38:40:61 | ...::from(...) | src/main.rs:40:21:40:62 | public_path.join(...) | provenance | MaD:3 |
+| src/main.rs:40:52:40:60 | file_path | src/main.rs:40:38:40:61 | ...::from(...) | provenance | MaD:4 |
+| src/main.rs:45:24:45:32 | file_path | src/main.rs:45:5:45:22 | ...::read_to_string | provenance | MaD:1 Sink:MaD:1 |
+| src/main.rs:50:11:50:19 | file_path | src/main.rs:53:52:53:60 | file_path | provenance |  |
+| src/main.rs:53:9:53:17 | file_path | src/main.rs:54:21:54:29 | file_path | provenance |  |
+| src/main.rs:53:21:53:62 | public_path.join(...) | src/main.rs:53:9:53:17 | file_path | provenance |  |
+| src/main.rs:53:38:53:61 | ...::from(...) | src/main.rs:53:21:53:62 | public_path.join(...) | provenance | MaD:3 |
+| src/main.rs:53:52:53:60 | file_path | src/main.rs:53:38:53:61 | ...::from(...) | provenance | MaD:4 |
+| src/main.rs:54:9:54:17 | file_path | src/main.rs:59:24:59:32 | file_path | provenance |  |
+| src/main.rs:54:21:54:29 | file_path | src/main.rs:54:21:54:44 | file_path.canonicalize(...) | provenance | Config |
+| src/main.rs:54:21:54:44 | file_path.canonicalize(...) | src/main.rs:54:21:54:53 | ... .unwrap(...) | provenance | MaD:2 |
+| src/main.rs:54:21:54:53 | ... .unwrap(...) | src/main.rs:54:9:54:17 | file_path | provenance |  |
+| src/main.rs:59:24:59:32 | file_path | src/main.rs:59:5:59:22 | ...::read_to_string | provenance | MaD:1 Sink:MaD:1 |
 models
 | 1 | Sink: lang:std; crate::fs::read_to_string; path-injection; Argument[0] |
-| 2 | Summary: lang:std; <crate::path::Path>::join; Argument[0]; ReturnValue; taint |
-| 3 | Summary: lang:std; <crate::path::PathBuf as crate::convert::From>::from; Argument[0]; ReturnValue; taint |
+| 2 | Summary: lang:core; <crate::result::Result>::unwrap; Argument[self]; ReturnValue; taint |
+| 3 | Summary: lang:std; <crate::path::Path>::join; Argument[0]; ReturnValue; taint |
+| 4 | Summary: lang:std; <crate::path::PathBuf as crate::convert::From>::from; Argument[0]; ReturnValue; taint |
 nodes
 | src/main.rs:6:11:6:19 | file_name | semmle.label | file_name |
 | src/main.rs:8:9:8:17 | file_path | semmle.label | file_path |
 | src/main.rs:8:21:8:44 | ...::from(...) | semmle.label | ...::from(...) |
 | src/main.rs:8:35:8:43 | file_name | semmle.label | file_name |
 | src/main.rs:10:5:10:22 | ...::read_to_string | semmle.label | ...::read_to_string |
 | src/main.rs:10:24:10:32 | file_path | semmle.label | file_path |
-| src/main.rs:15:11:15:19 | file_name | semmle.label | file_name |
-| src/main.rs:21:9:21:17 | file_path | semmle.label | file_path |
-| src/main.rs:21:21:21:44 | ...::from(...) | semmle.label | ...::from(...) |
-| src/main.rs:21:35:21:43 | file_name | semmle.label | file_name |
-| src/main.rs:22:5:22:22 | ...::read_to_string | semmle.label | ...::read_to_string |
-| src/main.rs:22:24:22:32 | file_path | semmle.label | file_path |
-| src/main.rs:27:11:27:19 | file_path | semmle.label | file_path |
-| src/main.rs:30:9:30:17 | file_path | semmle.label | file_path |
-| src/main.rs:30:21:30:62 | public_path.join(...) | semmle.label | public_path.join(...) |
-| src/main.rs:30:38:30:61 | ...::from(...) | semmle.label | ...::from(...) |
-| src/main.rs:30:52:30:60 | file_path | semmle.label | file_path |
-| src/main.rs:35:5:35:22 | ...::read_to_string | semmle.label | ...::read_to_string |
-| src/main.rs:35:24:35:32 | file_path | semmle.label | file_path |
+| src/main.rs:37:11:37:19 | file_path | semmle.label | file_path |
+| src/main.rs:40:9:40:17 | file_path | semmle.label | file_path |
+| src/main.rs:40:21:40:62 | public_path.join(...) | semmle.label | public_path.join(...) |
+| src/main.rs:40:38:40:61 | ...::from(...) | semmle.label | ...::from(...) |
+| src/main.rs:40:52:40:60 | file_path | semmle.label | file_path |
+| src/main.rs:45:5:45:22 | ...::read_to_string | semmle.label | ...::read_to_string |
+| src/main.rs:45:24:45:32 | file_path | semmle.label | file_path |
+| src/main.rs:50:11:50:19 | file_path | semmle.label | file_path |
+| src/main.rs:53:9:53:17 | file_path | semmle.label | file_path |
+| src/main.rs:53:21:53:62 | public_path.join(...) | semmle.label | public_path.join(...) |
+| src/main.rs:53:38:53:61 | ...::from(...) | semmle.label | ...::from(...) |
+| src/main.rs:53:52:53:60 | file_path | semmle.label | file_path |
+| src/main.rs:54:9:54:17 | file_path | semmle.label | file_path |
+| src/main.rs:54:21:54:29 | file_path | semmle.label | file_path |
+| src/main.rs:54:21:54:44 | file_path.canonicalize(...) | semmle.label | file_path.canonicalize(...) |
+| src/main.rs:54:21:54:53 | ... .unwrap(...) | semmle.label | ... .unwrap(...) |
+| src/main.rs:59:5:59:22 | ...::read_to_string | semmle.label | ...::read_to_string |
+| src/main.rs:59:24:59:32 | file_path | semmle.label | file_path |
 subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-022/src/main.rs b/rust/ql/test/query-tests/security/CWE-022/src/main.rs
@@ -11,29 +11,52 @@ fn tainted_path_handler_bad(
 }
 
 //#[handler]
-fn tainted_path_handler_good(
-    Query(file_name): Query<String>, // $ Source=remote2
-) -> Result<String> {
+fn tainted_path_handler_good(Query(file_name): Query<String>) -> Result<String> {
     // GOOD: ensure that the filename has no path separators or parent directory references
     if file_name.contains("..") || file_name.contains("/") || file_name.contains("\\") {
         return Err(Error::from_status(StatusCode::BAD_REQUEST));
     }
     let file_path = PathBuf::from(file_name);
-    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink SPURIOUS: Alert[rust/path-injection]=remote2
+    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink
 }
 
 //#[handler]
-fn tainted_path_handler_folder_good(
-    Query(file_path): Query<String>, // $ Source=remote3
-) -> Result<String> {
+fn tainted_path_handler_folder_good(Query(file_path): Query<String>) -> Result<String> {
     let public_path = home_dir().unwrap().join("public");
     let file_path = public_path.join(PathBuf::from(file_path));
     let file_path = file_path.canonicalize().unwrap();
     // GOOD: ensure that the path stays within the public folder
     if !file_path.starts_with(public_path) {
         return Err(Error::from_status(StatusCode::BAD_REQUEST));
     }
-    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink SPURIOUS: Alert[rust/path-injection]=remote3
+    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink
+}
+
+//#[handler]
+fn tainted_path_handler_folder_almost_good1(
+    Query(file_path): Query<String>, // $ Source=remote4
+) -> Result<String> {
+    let public_path = home_dir().unwrap().join("public");
+    let file_path = public_path.join(PathBuf::from(file_path));
+    // BAD: the path could still contain `..` and escape the public folder
+    if !file_path.starts_with(public_path) {
+        return Err(Error::from_status(StatusCode::BAD_REQUEST));
+    }
+    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink Alert[rust/path-injection]=remote4
+}
+
+//#[handler]
+fn tainted_path_handler_folder_almost_good2(
+    Query(file_path): Query<String>, // $ Source=remote5
+) -> Result<String> {
+    let public_path = home_dir().unwrap().join("public");
+    let file_path = public_path.join(PathBuf::from(file_path));
+    let file_path = file_path.canonicalize().unwrap();
+    // BAD: thecheck to ensure that the path stays within the public folder is wrong
+    if file_path.starts_with(public_path) {
+        return Err(Error::from_status(StatusCode::BAD_REQUEST));
+    }
+    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink Alert[rust/path-injection]=remote5
 }
 
 fn main() {}
