Avoid sending files without sanitizing user input

Docs > Plateforme de sécurité Datadog > Code Security > Static Code Analysis (SAST) > Règles SAST > Avoid sending files without sanitizing user input

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: ruby-security/rails-send-file

Language: Ruby

Severity: Warning

Category: Security

Description

This rule warns against sending files using user input directly without proper sanitization. When user input is incorporated into file paths without validation, it can lead to directory traversal attacks or unauthorized file access, potentially exposing sensitive data or compromising the system.

Ensuring that any user-supplied filename or path is sanitized or validated before being passed to methods like send_file is crucial. This can be done by whitelisting allowed filenames, restricting input to a predefined set of values, or explicitly constructing file paths without directly interpolating user input.

To avoid triggering this rule, developers should avoid passing raw parameters from user input into file paths. Instead, use fixed paths or sanitize inputs like params['filename'] before usage, for example: send_file("#{Rails.root}/foo.bar") or by validating that the filename exists within an expected directory. This reduces the risk of serving unintended files and enhances the security of file delivery in the application.

Non-Compliant Code Examples

def download_image
  path = "#{Rails.root}/#{params['filename']}"
  send_file(path)
end

def download_image
  send_file("#{Rails.root}/#{params['filename']}")
end

Compliant Code Examples

def download_image
  path2 = "#{Rails.root}/#{params['filename']}"
  path = "#{Rails.root}/foo.bar"
  send_file(path)
end

def download_image
  send_file("#{Rails.root}/public/images/image.jpg", type: "image/jpeg", disposition: "inline")
end