Avoid path traversal for Ruby on Rails applications

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: ruby-security/rails-path-traversal

Language: Ruby

Severity: Warning

Category: Security

CWE: 35

Description

This rule aims to prevent path traversal vulnerabilities in Ruby on Rails applications. Path traversal occurs when user input is used to construct file paths without proper validation, allowing attackers to access sensitive files outside the intended directories. This can lead to unauthorized disclosure of system files, application source code, or configuration data.

It is crucial to avoid directly incorporating user-controlled parameters into file paths, especially when using methods like render file: or send_file. Attackers can manipulate these inputs to traverse directories using sequences like ../, potentially exposing critical files. Such vulnerabilities can compromise the security and integrity of your application and underlying system.

To mitigate this risk, developers should avoid interpolating user input into file paths. Instead, use safer alternatives such as render template: with fixed or validated template names. If dynamic file access is necessary, ensure strict validation and sanitization of input parameters, or constrain access to a predefined whitelist of acceptable files. Following these practices helps maintain the application’s security posture against path traversal attacks.

Non-Compliant Code Examples

def myfunction
    base = Rails.root.join("public/docs")
    requested = base.join(params[:path].to_s).cleanpath
    send_file requested, disposition: "inline"
end

def myfunction
    # e.g. params[:page] = "../../etc/passwd"
    render file: Rails.root.join("app/views/pages", "#{params[:page]}.html.erb")
end

# e.g. params[:page] = "../../etc/passwd"
render file: Rails.root.join("app/views/pages", "#{params[:page]}.html.erb")

Compliant Code Examples

module MyModule
  class User < BaseController
    def create
      # fetch from database, we assume the data is safe
      viewer = func(User.find(params[:user_id]))

      render json: {
        viewer_added: viewer.present?
      }
    end
  end
end

render template: "pages/otherpage"
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

원활한 통합. Datadog Code Security를 경험해 보세요

Datadog Code Security