mirror of
https://github.com/github/codeql.git
synced 2026-04-27 01:35:13 +02:00
24a10aa5ff
This method is available in ActionController actions, and sends the file at the given path to the client.
75 lines
1.6 KiB
Ruby
75 lines
1.6 KiB
Ruby
class FooController < ActionController::Base
|
|
# BAD
|
|
def route0
|
|
path = params[:path]
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD - File.absolute_path preserves taint
|
|
def route1
|
|
path = File.absolute_path params[:path]
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD - File.dirname preserves taint
|
|
def route2
|
|
path = "#{File.dirname(params[:path])}/foo"
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD - File.expand_path preserves taint
|
|
def route3
|
|
path = File.expand_path params[:path]
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD - File.path preserves taint
|
|
def route4
|
|
path = File.path params[:path]
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD - File.realdirpath preserves taint
|
|
def route5
|
|
path = File.realdirpath params[:path]
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD - File.realpath preserves taint
|
|
def route6
|
|
path = File.realpath params[:path]
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD - tainted arguments in any position propagate to the return value of
|
|
# File.join
|
|
def route7
|
|
path = File.join("foo", "bar", "baz", params[:path], "qux")
|
|
@content = File.read path
|
|
end
|
|
|
|
# GOOD - File.basename does not preserve taint
|
|
def route8
|
|
path = File.basename params[:path]
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD
|
|
def route9
|
|
path = ActiveStorage::Filename.new(params[:path])
|
|
@content = File.read path
|
|
end
|
|
|
|
# GOOD - explicitly sanitized
|
|
def route10
|
|
path = ActiveStorage::Filename.new(params[:path]).sanitized
|
|
@content = File.read path
|
|
end
|
|
|
|
# BAD
|
|
def route11
|
|
path = ActiveStorage::Filename.new(params[:path])
|
|
send_file path
|
|
end
|
|
end
|