validate expanded path matches public_dir when serving static files

2023-03-27 23:18:01 -04:00 · 2021-02-17 17:43:15 -05:00 · 2021-02-17 17:43:15 -05:00 · 462c3ca1db
commit 462c3ca1db
parent ed2add3785
2 changed files with 2 additions and 0 deletions
--- a/lib/sinatra/base.rb
+++ b/lib/sinatra/base.rb
@ -1090,6 +1090,7 @@ module Sinatra
      return unless valid_path?(path)

      path = File.expand_path(path)
+      return unless path.start_with?(File.expand_path(public_dir) + '/')
      return unless File.file?(path)

      env['sinatra.static_file'] = path
--- a/test/static_test.rb
+++ b/test/static_test.rb
@ -97,6 +97,7 @@ class StaticTest < Minitest::Test
    mock_app do
      set :static, true
      set :public_folder, __dir__ + '/data'
+      disable :protection
    end
    get "/../#{File.basename(__FILE__)}"
    assert not_found?