Fix directory traversal vulnerability in static file route [#177]

2023-03-27 23:18:01 -04:00 · 2009-03-09 14:46:45 -07:00 · 2009-03-09 14:46:45 -07:00 · ed98aed36f
commit ed98aed36f
parent 01b1f4945e
2 changed files with 18 additions and 1 deletions
--- a/lib/sinatra/base.rb
+++ b/lib/sinatra/base.rb
@ -884,7 +884,9 @@ module Sinatra
    # static files route
    get(/.*[^\/]$/) do
      pass unless options.static? && options.public?
-      path = options.public + unescape(request.path_info)
+      public_dir = File.expand_path(options.public)
+      path = File.expand_path(public_dir + unescape(request.path_info))
+      pass if path[0, public_dir.length] != public_dir
      pass unless File.file?(path)
      send_file path, :disposition => nil
    end
--- a/test/static_test.rb
+++ b/test/static_test.rb
@ -62,4 +62,19 @@ describe 'Static' do
    get "/foobarbaz.txt"
    assert not_found?
  end
+
+  it 'serves files when .. path traverses within public directory' do
+    get "/data/../#{File.basename(__FILE__)}"
+    assert ok?
+    assert_equal File.read(__FILE__), body
+  end
+
+  it '404s when .. path traverses outside of public directory' do
+    mock_app {
+      set :static, true
+      set :public, File.dirname(__FILE__) + '/data'
+    }
+    get "/../#{File.basename(__FILE__)}"
+    assert not_found?
+  end
 end