Preventing path traversal in download endpoints

10462 views

                  base_path = Rails.root.join('storage', 'exports').realpath
requested = base_path.join(params[:filename].to_s).cleanpath

unless requested.to_s.start_with?(base_path.to_s) && requested.file?
  raise ActionController::RoutingError, 'Not Found'
end

send_file requested, disposition: 'attachment'

Any endpoint that reads from disk needs path normalization and strict base-directory enforcement. I never trust user-supplied file names and I avoid passing them straight into shell commands. Safe file access is mostly about refusing to be clever.

Kai Nakamura

More from Kai Nakamura

Preventing path traversal in download endpoints

0 Comments

More from Kai Nakamura