Class: ActivityPub::UnsafeResolver

Inherits:

Object

Object
ActivityPub::UnsafeResolver

show all

Defined in:: lib/activitypub/resolvers.rb

Overview

UnsafeResolver supports filesystem references. It’s named as it is to make you stop and think. If you load remote objects and allow the use of UnsafeResolver, it will try to load things from your filesystem. If you subsequently allow access to that data in ways that are not strictly controlled, you run the risk of a security hole.

A future version will likely allow containing this to specific paths, but currently it makes *NO ATTEMPTS* to sanitise paths, so paths including “..” etc. will allow filesystem traversal.

Instance Method Summary collapse

#call(path) ⇒ Object
#initialize(base) ⇒ UnsafeResolver constructor

A new instance of UnsafeResolver.

Constructor Details

#initialize(base) ⇒ `UnsafeResolver`

Returns a new instance of UnsafeResolver.



42
43
44

# File 'lib/activitypub/resolvers.rb', line 42

def initialize(base)
  @base = File.expand_path(base)
end

Instance Method Details

#call(path) ⇒ `Object`

# File 'lib/activitypub/resolvers.rb', line 46

def call(path)
  path = File.expand_path(path,@base)
  raise "Illegal path" if path[0...@base.length] != @base
  if File.exist?(path)
    data = File.read(path)
    return ActivityPub.from_json(data)
  end
  WebResolver.call(path)
end