ruby
8 lines · 1 tab
Kai Nakamura
Apr 2026
1 tab
base_path = Rails.root.join('storage', 'exports').realpath
requested = base_path.join(params[:filename].to_s).cleanpath
unless requested.to_s.start_with?(base_path.to_s) && requested.file?
raise ActionController::RoutingError, 'Not Found'
end
send_file requested, disposition: 'attachment'
1 file · ruby
Explain with highlit
Any endpoint that reads from disk needs path normalization and strict base-directory enforcement. I never trust user-supplied file names and I avoid passing them straight into shell commands. Safe file access is mostly about refusing to be clever.
Share this code
Here's the card — post it anywhere.