Handle the case of junk following new line.

@art0007i also reported archives containing paths with junk following the
new line, this will handle the situation and also adds unit tests for
this.

Update cargo libraries.

Author: ticpu

Cargo.lock

@@ -11,13 +11,13 @@ use tokio::io::AsyncWriteExt;
 use tokio::task::JoinHandle;
 use tokio::{fs, io};
 
+mod sanitize_path;
+
 struct Config {
     input_path: String,
     log_level: LevelFilter,
 }
 
-const TRIM_CHARS: &[char] = &['\0', ' ', '\n', '\t', '\r', '/', '.'];
-
 type AssetMap = HashMap<PathBuf, Vec<u8>>;
 type FolderMap = HashMap<OsString, bool>;
 type ExtractTask = Vec<JoinHandle<Result<(), io::Error>>>;
@@ -59,20 +59,6 @@ fn parse_arguments() -> Config {
     }
 }
 
-fn sanitize_path(path: &str) -> Result<String, io::Error> {
-    let sanitized_path = path.trim_matches(TRIM_CHARS).replace('\\', "/");
-
-    if sanitized_path.contains("..") {
-        warn!("path «{}» contains .., this isn't supported", path);
-        return Err(io::Error::new(
-            io::ErrorKind::InvalidInput,
-            "Path contains invalid '..'",
-        ));
-    }
-
-    Ok(sanitized_path)
-}
-
 fn read_asset_to_memory<R: Read>(
     assets: &mut AssetMap,
     mut entry: tar::Entry<'_, R>,
@@ -135,7 +121,7 @@ async fn write_asset_to_pathname(
     entry_hash: PathBuf,
     path_name: String,
 ) -> Result<(), io::Error> {
-    let target_path = sanitize_path(&path_name)?;
+    let target_path = sanitize_path::sanitize_path(&path_name)?;
 
     if path_name != target_path {
         debug!(

src/main.rs

@@ -0,0 +1,74 @@
+use log::warn;
+use std::io;
+
+const TRIM_CHARS: &[char] = &['\0', ' ', '\n', '\t', '\r', '/', '.'];
+const END_OF_STRING_CHARS: &[char] = &['\0', '\n', '\r'];
+
+pub fn sanitize_path(path: &str) -> Result<String, io::Error> {
+    let sanitized_path = path.trim_matches(TRIM_CHARS).replace('\\', "/");
+
+    if let Some(idx) = sanitized_path.rfind('/') {
+        let (dir_part, _) = sanitized_path.split_at(idx);
+
+        // Check for ".." only in the directory part
+        if dir_part.contains("..") {
+            warn!(
+                "path «{}» contains .. in directory part, this isn't supported",
+                path
+            );
+            return Err(io::Error::new(
+                io::ErrorKind::InvalidInput,
+                "Path contains invalid '..' in directory part",
+            ));
+        }
+    }
+
+    match sanitized_path.find(END_OF_STRING_CHARS) {
+        Some(idx) => {
+            let (final_path, _) = sanitized_path.split_at(idx);
+            Ok(final_path.to_string())
+        }
+        None => Ok(sanitized_path),
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_sanitize_path() {
+        // Normal filename
+        assert_eq!(sanitize_path("filename.ext").unwrap(), "filename.ext");
+
+        // Normal path
+        assert_eq!(
+            sanitize_path("folder\\file.ext").unwrap(),
+            "folder/file.ext"
+        );
+
+        // Unix path
+        assert_eq!(sanitize_path("folder/file.ext").unwrap(), "folder/file.ext");
+
+        // Any number or ../ at the start will be removed.
+        assert_eq!(
+            sanitize_path("../folder/file.ext").unwrap(),
+            "folder/file.ext"
+        );
+
+        // .. anywhere in the dir part will error out.
+        assert!(sanitize_path("folder/../file.ext").is_err());
+
+        // new line/empty chars at the end should be removed
+        assert_eq!(
+            sanitize_path("folder/file.ext\r\n\0").unwrap(),
+            "folder/file.ext"
+        );
+
+        // anything after a new line should be trimmed off
+        assert_eq!(
+            sanitize_path("folder/file.ext\n00").unwrap(),
+            "folder/file.ext"
+        );
+    }
+}