[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ruby-talk
Subject:    Re: Ensuring a file path is contained in a directory
From:       Alejandro Exojo <suy () badopi ! org>
Date:       2015-01-14 23:19:03
Message-ID: 201501150019.03300.suy () badopi ! org
[Download RAW message or body]

El Tuesday 13 January 2015, Jesús Gabriel y Galán escribió:
> Honest question:
> 
> Is this a fragile test? I'm by no means a security expert, but it
> looks to me that File#expand_path normalizes the path, removing "..",
> "~", so I'm interested in understanding if this could be broken:
> 
> 2.0.0-p195 :001 > def is_within path,base
> 2.0.0-p195 :002?>   base_expanded = File.expand_path base
> 2.0.0-p195 :003?>   path_expanded = File.expand_path path,base
> 2.0.0-p195 :004?>   path_expanded.start_with? base_expanded
> 2.0.0-p195 :005?>   end
>  => nil

There is the flaw that an extra slash might be needed:

[10] pry(main)> def is_within path, base
[10] pry(main)*   base_expanded = File.expand_path base
[10] pry(main)*   path_expanded = File.expand_path path, base
[10] pry(main)*   path_expanded.start_with? base_expanded
[10] pry(main)* end  
=> nil
[11] pry(main)> is_within '/var/foobar', '/var/foo'                                       
=> true

I think is a little bit up to you how you define the input strings. '/var/foo' 
could be a directory, or file 'foo' in directory '/var'. I tend to prefer to 
clearly state what is a directory by adding a trailing slash, but tipically 
APIs return paths with that trailing slash removed the same way that two 
consecutive slashes are simplified as well.

-- 
Alex (a.k.a. suy) | GPG ID 0x0B8B0BC2
http://barnacity.net/ | http://disperso.net
[prev in list] [next in list] [prev in thread] [next in thread]