Fix Improper Assets Management in Rocket

Improper asset management in Rocket-based apps is a fast track to LFI (Local File Inclusion). If you're manually joining paths or mounting your project root, you're leaking .env files, SSH keys, and source code. Secure your static file handling before someone else dumps your environment variables.

The Vulnerable Pattern

use rocket::fs::NamedFile;
use std::path::{Path, PathBuf};
#[get(“/assets/<file..>”)]
async fn unsafe_assets(file: PathBuf) -> Option {
// DANGER: Joining path segments to the project root allows an attacker
// to use ’..’ to escape the intended directory.
NamedFile::open(Path::new(”./“).join(file)).await.ok()
}

The Secure Implementation

The vulnerability exists when the application trusts user-controlled path segments to access the filesystem. In the vulnerable example, an attacker can request '/assets/../../etc/passwd' to read sensitive system files. While Rocket's PathBuf does some basic validation, manually joining it to a root like './' is inherently risky. The secure fix uses Rocket's built-in 'FileServer'. It employs the 'relative!' macro to safely locate the asset directory at compile time and implements robust checks to ensure requested paths cannot escape the designated sandbox.

use rocket::fs::{FileServer, relative};
#[launch]
fn rocket() -> _ {
// SECURE: FileServer automatically handles path sanitization,
// prevents directory traversal, and restricts access to the ‘static’ folder.
rocket::build()
.mount(“/assets”, FileServer::from(relative!(“static”)))
}