Class: Rack::Protection::PathTraversal

Inherits:
Base
  • Object
show all
Defined in:
lib/rack/protection/path_traversal.rb

Overview

Prevented attack

Directory traversal

Supported browsers

all

More infos

en.wikipedia.org/wiki/Directory_traversal

Unescapes ‘/’ and ‘.’, expands path_info. Thus GET /foo/%2e%2e%2fbar becomes GET /bar.

Constant Summary

Constants inherited from Base

Base::DEFAULT_OPTIONS

Instance Attribute Summary

Attributes inherited from Base

#app, #options

Instance Method Summary collapse

Methods inherited from Base

#accepts?, #debug, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #initialize, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#call(env) ⇒ Object



15
16
17
18
19
20
21
# File 'lib/rack/protection/path_traversal.rb', line 15

def call(env)
  path_was         = env['PATH_INFO']
  env['PATH_INFO'] = cleanup path_was if path_was && !path_was.empty?
  app.call env
ensure
  env['PATH_INFO'] = path_was
end

#cleanup(path) ⇒ Object



23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# File 'lib/rack/protection/path_traversal.rb', line 23

def cleanup(path)
  encoding = path.encoding
  dot   = '.'.encode(encoding)
  slash = '/'.encode(encoding)
  backslash = '\\'.encode(encoding)

  parts     = []
  unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
  unescaped = unescaped.gsub(backslash, slash)

  unescaped.split(slash).each do |part|
    next if part.empty? || (part == dot)

    part == '..' ? parts.pop : parts << part
  end

  cleaned = slash + parts.join(slash)
  cleaned << slash if parts.any? && unescaped =~ (%r{/\.{0,2}$})
  cleaned
end