lib/rswag/api/middleware.rb in rswag-api-2.10.0 vs lib/rswag/api/middleware.rb in rswag-api-2.10.1
- old
+ new
@@ -13,10 +13,10 @@
def call(env)
path = env['PATH_INFO']
# Sanitize the filename for directory traversal by expanding, and ensuring
# its starts with the root directory.
- filename = File.expand_path(path, @config.resolve_swagger_root(env))
+ filename = File.expand_path(File.join(@config.resolve_swagger_root(env), path))
unless filename.start_with? @config.resolve_swagger_root(env)
return @app.call(env)
end
if env['REQUEST_METHOD'] == 'GET' && File.file?(filename)