Sanitize user-generated filenames and only send files inside a given directory

Posted About 13 years ago. Visible to the public.

If in your application your users pass along params that result in filenames, like invoices/generated?number=123. This could be your (very careless) controller method:

def generated
  send_file File.join(Rails.root, 'shared', 'invoices', params[:number])
end

This allows your users not only to access those files but also any files your application can read, like this:

invoices/generated?number=../../../../../etc/passwd
# => send_file '/etc/passwd'

You do not want this. In most cases you should prefer a show method that does not open files directly from the file system -- the following is for those rare cases in which you can not do that.

First, check if the requested file is actually at the place you would want it to be and only send it if that is the case.

You can use the following trait Show archive.org snapshot and always call send_file_inside with the parent directory of the files as the first parameter, like so:

send_file_inside File.join(Rails.root, 'shared', 'invoices'), params[:number]

Do not use only Rails.root -- this would allow access to config/environment.rb and other sensitive data inside your application's directory.

Put this into app/controllers/shared/send_file_inside_trait.rb:

module ApplicationController::SendFileInsideTrait
  as_trait do

    private

    def send_file_inside(allowed_path, filename, options = {})
      path = File.expand_path(File.join(allowed_path, filename))
      if path.match Regexp.new('^' + Regexp.escape(allowed_path))
        send_file path, options
      else
        raise 'Disallowed file requested'
      end
    end

  end
end

Here is the spec that goes along with it:

require 'spec_helper'

describe ApplicationController do

  describe '#send_file_inside' do

    let(:path) { '/opt/invoices/' }

    it 'should send a requested file that lives beneath the given directory' do
      subject.should_receive(:send_file).with('/opt/invoices/123.pdf', {})
      subject.send :send_file_inside, path, '123.pdf'
    end

    it 'should raise an error if a file outside the given directory was requested' do
      subject.should_not_receive :send_file
      lambda{ subject.send :send_file_inside, path, '../../etc/passwd' }.should raise_error('Disallowed file requested')
    end

    it 'should work with subdirectories' do
      subject.should_receive(:send_file).with('/opt/invoices/2011/001.pdf', {})
      subject.send :send_file_inside, path, '2011/001.pdf'
    end

    it 'should pass along given options to the send_file method' do
      subject.should_receive(:send_file).with('/opt/invoices/123.pdf', :given_options)
      subject.send :send_file_inside, path, '123.pdf', :given_options
    end

  end

end
Thomas Eisenbarth
makandra.de
Say thanks5
Last edit
Over 2 years ago
Henning Koch
License
Source code in this card is licensed under the MIT License.

Related cards:

Delivering Carrierwave attachments to authorized users only

Preparation

To attach files to your records, you will need a new database column representing the filename of the file. To do this, add a new migration (rails g migration <name>) with the following content:

class AddAttachmentToNotes...

Async control flow in JavaScript: Promises, Microtasks, async/await

Slides for Henning's talk on Sep 21st 2017.

Understanding sync vs. async control flow

Talking to synchronous (or "blocking") API

print('script start')
html = get('/foo')
print(html)
print('s...

How to make changes to a Ruby gem (as a Rails developer)

At makandra, we've built a few gems over the years. Some of these are quite popular: spreewald (> 1M downloads), active_type (> 1M downloads), and geordi (> 200k downloads)

Developing a Ruby gem is different from developing Rails applications, w...

The JavaScript Object Model: A deep dive into prototypes and properties

Speaker today is Henning Koch, Head of Development at makandra.

This talk will be in German with English slides.

Introduction

As web developers we work with JavaScript every day, even when our backend code uses anothe...

JavaScript without jQuery (presentation from 2019-01-21)

Summary

  • We want to move away from jQuery in future projects
  • Motivations are performance, bundle size and general trends for the web platform.
  • The native DOM API is much nicer than it used to be, and we can polyfill the missing pieces
  • Un...

Deliver Paperclip attachments to authorized users only

When Paperclip attachments should only be downloadable for selected users, there are three ways to go.
The same applies to files in Carrierwave.
...

How to create giant memory leaks in AngularJS (and other client-side JavaScript)

This guide shows how to create an AngularJS application that consumes more and more memory until, eventually, the browser process crashes on your users.

Although this guide has been written for Angular 1 originally, most of the advice is relevant...

The Ruby Object Model

In Ruby (almost) everything is an Object. While this enables a lot of powerful features, this concept might be confusing for developers who have been programming in more static languages, such as Java or C#. This card should help understanding t...

How to: Upgrade CarrierWave to 3.x

While upgrading CarrierWave from version 0.11.x to 3.x, we encountered some very nasty fails. Below are the basic changes you need to perform and some behavior you may eventually run into when upgrading your application. This aims to save you some...

Guide to localizing a Rails application

Localizing a non-trivial application can be a huge undertaking. This card will give you an overview over the many components that are affected.

When you are asked to give an estimate for the effort involved, go through the list below and check wh...

Posted by Thomas Eisenbarth to makandra dev (2011-03-21 11:34)
This website uses short-lived cookies to improve usability.
or learn more