ruby 8 lines · 1 tab

Preventing path traversal in download endpoints

Kai Nakamura Apr 2026
1 tab
base_path = Rails.root.join('storage', 'exports').realpath
requested = base_path.join(params[:filename].to_s).cleanpath

unless requested.to_s.start_with?(base_path.to_s) && requested.file?
  raise ActionController::RoutingError, 'Not Found'
end

send_file requested, disposition: 'attachment'
1 file · ruby Explain with highlit

Any endpoint that reads from disk needs path normalization and strict base-directory enforcement. I never trust user-supplied file names and I avoid passing them straight into shell commands. Safe file access is mostly about refusing to be clever.

Share this code

Here's the card — post it anywhere.

Preventing path traversal in download endpoints — share card
Link copied