Metadata

ID: ruby-security/rails-path-traversal

Language: Ruby

Severity: Warning

Category: Security

CWE: 35

Description

This rule aims to prevent path traversal vulnerabilities in Ruby on Rails applications. Path traversal occurs when user input is used to construct file paths without proper validation, allowing attackers to access sensitive files outside the intended directories. This can lead to unauthorized disclosure of system files, application source code, or configuration data.

It is crucial to avoid directly incorporating user-controlled parameters into file paths, especially when using methods like render file: or send_file. Attackers can manipulate these inputs to traverse directories using sequences like ../, potentially exposing critical files. Such vulnerabilities can compromise the security and integrity of your application and underlying system.

To mitigate this risk, developers should avoid interpolating user input into file paths. Instead, use safer alternatives such as render template: with fixed or validated template names. If dynamic file access is necessary, ensure strict validation and sanitization of input parameters, or constrain access to a predefined whitelist of acceptable files. Following these practices helps maintain the application’s security posture against path traversal attacks.

Non-Compliant Code Examples

def myfunction
    base = Rails.root.join("public/docs")
    requested = base.join(params[:path].to_s).cleanpath
    send_file requested, disposition: "inline"
end

def myfunction
    # e.g. params[:page] = "../../etc/passwd"
    render file: Rails.root.join("app/views/pages", "#{params[:page]}.html.erb")
end

# e.g. params[:page] = "../../etc/passwd"
render file: Rails.root.join("app/views/pages", "#{params[:page]}.html.erb")

Compliant Code Examples

render template: "pages/otherpage"