Avoid sending files without sanitizing user input

This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: ruby-security/rails-send-file

Language: Ruby

Severity: Warning

Category: Security

Description

This rule warns against sending files using user input directly without proper sanitization. When user input is incorporated into file paths without validation, it can lead to directory traversal attacks or unauthorized file access, potentially exposing sensitive data or compromising the system.

Ensuring that any user-supplied filename or path is sanitized or validated before being passed to methods like send_file is crucial. This can be done by whitelisting allowed filenames, restricting input to a predefined set of values, or explicitly constructing file paths without directly interpolating user input.

To avoid triggering this rule, developers should avoid passing raw parameters from user input into file paths. Instead, use fixed paths or sanitize inputs like params['filename'] before usage, for example: send_file("#{Rails.root}/foo.bar") or by validating that the filename exists within an expected directory. This reduces the risk of serving unintended files and enhances the security of file delivery in the application.

Non-Compliant Code Examples

def download_image
  path = "#{Rails.root}/#{params['filename']}"
  send_file(path)
end

def download_image
  send_file("#{Rails.root}/#{params['filename']}")
end

Compliant Code Examples

def download_image
  path2 = "#{Rails.root}/#{params['filename']}"
  path = "#{Rails.root}/foo.bar"
  send_file(path)
end

def download_image
  send_file("#{Rails.root}/public/images/image.jpg", type: "image/jpeg", disposition: "inline")
end
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

원활한 통합. Datadog Code Security를 경험해 보세요

Datadog Code Security