chore: base fuzz and micro-benchmark testing for static files module (#310)

it just introduces fuzzing and micro-benchmark tests for the static files module. As a way to continue enhancing the performance and security of SWS in general. It is expected to be improved over time including other modules as well.

benches/Cargo.toml

@@ -13,3 +13,8 @@ hyper = { version = "0.14", features = ["stream", "http1", "http2", "tcp", "serv
 name = "control_headers"
 path = "control_headers.rs"
 harness = false
+
+[[bench]]
+name = "static_files"
+path = "static_files.rs"
+harness = false

benches/static_files.rs

@@ -0,0 +1,29 @@
+use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion};
+
+use static_web_server::static_files;
+
+#[derive(Debug)]
+struct Inputs<'a> {
+    base_path: &'a std::path::Path,
+    uri_path: &'a str,
+}
+impl std::fmt::Display for Inputs<'_> {
+    fn fmt(&self, fmt: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> {
+        write!(fmt, "{:?}", self)
+    }
+}
+
+fn sanitize_path_benchmark(c: &mut Criterion) {
+    let base_path = std::path::Path::new("root/../");
+    let uri_path: &str = "../assets/../../.../image.jpg";
+    let inputs = Inputs {
+        base_path,
+        uri_path,
+    };
+    c.bench_with_input(BenchmarkId::new("path_inputs", &inputs), &inputs, |b, s| {
+        b.iter(|| static_files::sanitize_path(s.base_path, s.uri_path))
+    });
+}
+
+criterion_group!(static_files_bench, sanitize_path_benchmark);
+criterion_main!(static_files_bench);

fuzz/.gitignore

@@ -0,0 +1,6 @@
+target
+corpus
+artifacts
+coverage
+Cargo.lock
+crash*

fuzz/Cargo.toml

@@ -0,0 +1,22 @@
+[package]
+name = "static-web-server-fuzz"
+version = "0.0.0"
+publish = false
+edition = "2021"
+rust-version = "1.70.0"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+arbitrary = { version = "1",  features = ["derive"] }
+libfuzzer-sys = { version = "0.4", features = ["arbitrary-derive"] }
+static-web-server = { path = ".." }
+hyper = { version = "0.14", features = ["stream", "http1", "http2", "tcp", "server"] }
+
+[profile.release]
+debug = 1
+
+[[bin]]
+name = "static_files"
+path = "src/static_files.rs"

fuzz/src/static_files.rs

@@ -0,0 +1,17 @@
+#![no_main]
+
+use libfuzzer_sys::arbitrary::Arbitrary;
+use libfuzzer_sys::fuzz_target;
+use static_web_server::static_files;
+
+#[derive(Debug, Arbitrary)]
+struct RequestPath {
+    base: Vec<u8>,
+    uri: Vec<u8>,
+}
+
+fuzz_target!(|input: RequestPath| {
+    let uri = unsafe { std::str::from_utf8_unchecked(&input.uri[..]) };
+    let base = unsafe { std::str::from_utf8_unchecked(&input.base[..]) };
+    let _ = static_files::sanitize_path(std::path::Path::new(base), uri);
+});

src/static_files.rs

@@ -751,6 +751,18 @@ mod tests {
             sanitize_path(base_dir, "/../foo.html").unwrap(),
             root_dir().join("foo.html"),
         );
+        assert_eq!(
+            sanitize_path(base_dir, "/../W<>foo.html").unwrap(),
+            root_dir().join("W<EFBFBD>foo.html"),
+        );
+        assert_eq!(
+            sanitize_path(base_dir, "/%EF%BF%BD/../bar.html").unwrap(),
+            root_dir().join("<EFBFBD>/bar.html"),
+        );
+        assert_eq!(
+            sanitize_path(base_dir, "àí/é%20/öüñ").unwrap(),
+            root_dir().join("àí/é /öüñ"),
+        );
 
         #[cfg(unix)]
         let expected_path = root_dir().join("C:\\/foo.html");