Sha256: b81c73d4b9c14326ef5e2e9d977dd4de303dc482052373ebfafcae757c91cf70
Contents?: true
Size: 1.15 KB
Versions: 2
Compression:
Stored size: 1.15 KB
Contents
# frozen_string_literal: true
module RuboCop
module Cop
module GitlabSecurity
# Check for use of send_file(..., params[], ...)
#
# Passing user params to the send_file() method allows directory traversal
#
# @example
#
# # bad
# send_file("/tmp/myproj/" + params[:filename])
#
# # good (verify directory)
# basename = File.expand_path("/tmp/myproj")
# filename = File.expand_path(File.join(basename, @file.public_filename))
# raise if basename != filename
# send_file filename, disposition: 'inline'
#
class SendFileParams < RuboCop::Cop::Base
MSG = 'Do not pass user provided params directly to send_file(), ' \
'verify the path with file.expand_path() first.'
# @!method params_node?(node)
def_node_search :params_node?, <<-PATTERN
(send (send nil? :params) ... )
PATTERN
def on_send(node)
return unless node.command?(:send_file)
return unless node.arguments.any? { |e| params_node?(e) }
add_offense(node.loc.selector)
end
end
end
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| gitlab-styles-13.0.1 | lib/rubocop/cop/gitlab_security/send_file_params.rb |
| gitlab-styles-13.0.0 | lib/rubocop/cop/gitlab_security/send_file_params.rb |