Ruby: Model send_file

[hmac]

trafficstars

Recognise send_file as a FileSystemAccess

This method is available in ActionController actions, and sends the file at the given path to the client.

[hmac]

The new DCA results imply that we need to add some sanitizers to the path injection query:

Sanitize via .match? guard

digest = params[:digest]
raise if !digest.match?(/^\h{40}$/)
path = "/assets/#{digest}.js"
send_file(path)

Sanitize via Rack::Utils.clean_path_info

path = Rack::Utils.clean_path_info(params[:path])
send_file(path)

Sanitize via .start_with? guard

path = File.expand_path(Rails.root + "public/assets/#{params[:path]}#{suffix}")
raise unless path.start_with?(Rails.root.to_s + "/public/assets")
send_file(path)

Sanitize via route constraint (note: the regex is required to match the whole string)

# routes.rb
get "stylesheets/:name.css" => "stylesheets#show", constraints: { name: /[-a-z0-9_]+/ }

# stylesheets_controller.rb
location = "#{cache_path}/#{name}.css"
send_file(location)

Sanitize via string equality comparison

digest = params[:digest]
raise if digest != known_digest
path = "/assets/#{digest}.js"
send_file(path)