Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix cache rendering with namespaced resources #874

Merged
merged 1 commit into from
May 24, 2023

Conversation

stormsilver
Copy link
Contributor

The path traversal sanitization was incorrectly filtering out paths that included the - character. Namespaced resources generates files like api-v1-resource.html which were then returning a 400.

The path traversal sanitization was incorrectly filtering out paths that included
the `-` character. Namespaced resources generates files like `api-v1-resource.html`
which were then returning a 400.
path << "/" << params[:version] if params[:version].present?
path << "/" << params[:resource] if params[:resource].present?
path << "/" << params[:method] if params[:method].present?
if params[:format].present?
path << ".#{params[:format]}"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but we are not adding this anymore?

end
# Sanitize path against directory traversal attacks (e.g. ../../foo)
# by turning path into an absolute path before appending it to the cache dir
path = File.expand_path("#{path}.#{request.format.symbol}", '/')
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see you are taking the format from the request, but can it be different?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi! Sorry I didn't respond earlier - yesterday was really busy.

Since Rails/Rack assemble the request format for us, I figured it was safest to use request.format rather than us needing to sanitize params[:format] ourselves. It's one small security item we don't have to do.

If we had a large variety request formats it might be possible for request.format.symbol to be different from the file extension on the file system, but we only have html and json which are pretty standard. I don't think it can be different.

I'm more than willing to change this in a new PR if you think we should. Thank you for merging it! (And all my other recent PRs - you are super responsive which is not often found 🎉 )

@mathieujobin mathieujobin merged commit 661fc15 into Apipie:master May 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants