jruby-rack icon indicating copy to clipboard operation
jruby-rack copied to clipboard
verified publisher icon jruby

Jruby-rack rails applications may have directory traversal issues in some configurations

Open shahrutul1993 opened this issue 2 years ago • 7 comments

currently I am facing issue while using warble gem. I am using Jruby based rails application. I am able to access direct file path code in server URL which breaking security. so I was trying to modify config/warble.rb where I have made some changes which is showing below.

config.webxml.jruby.min.runtimes = 1 config.webxml.jruby.max.runtimes = 1 config.webxml.org.eclipse.jetty.servlet.default.dirAllowed = false

after adding config, I am able to access WEB-INF directory as well as file from direct server URL which is breaking security of our application. for example:

  1. server url/WEB-INF./web.xml
  2. server url/WEB-INF./config/secrets.yml all the files can be accessible from this directory.

Looks like this is just preventing directory access but still able to access file path code in URL directly. Any one have any idea to fix this issue in warble? Any help would be appreciated. Thanks.

shahrutul1993 avatar Jul 31 '23 14:07 shahrutul1993

any updates on this? We are also facing the same issue. Adding

config.webxml.org.eclipse.jetty.servlet.default.dirAllowed = false

does not have an effect on the generated web.xml file

and opening localhost:8080/test..%2F..%2F seems to just render a listing of the server's directory files

thimios avatar Aug 12 '24 15:08 thimios

this bug relates to the servlet-rack bridge https://github.com/jruby/jruby-rack not the (warbler) packaging tool.

kares avatar Jul 01 '25 15:07 kares

@kares if this is indeed the case and is valid for non-jetty, do you want to move this issue to the other project when you have a minute?

chadlwilson avatar Aug 26 '25 05:08 chadlwilson

@kares are you able to share any thoughts on which circumstances this would have to be the case to be true? Did you happen to replicate it?

Is this a rails root problem or some issue with query path parsing before offloading to the application?

chadlwilson avatar Sep 02 '25 07:09 chadlwilson

We can transfer this issue to jruby-rack if it is confirmed to still be happening. This was filed a couple of years ago, and I'm not sure what versions of libraries were used.

headius avatar Sep 02 '25 14:09 headius

my initial thought was that we do something wrong with the RackFilter and jruby-rack's attempt to allow for serving assets (packaged with the .war) as well as dynamic requests using the filter /* mapping.

no replication or ideas about fixing, would need to sit down a look into it...

kares avatar Sep 02 '25 15:09 kares

Ok, thanks! I'll have a play.

chadlwilson avatar Sep 03 '25 04:09 chadlwilson