middleware.rb in rswag-api-2.10.0

- old
+ new

@@ -11,10 +11,15 @@
         @config = config
       end
 
       def call(env)
         path = env['PATH_INFO']
-        filename = "#{@config.resolve_swagger_root(env)}/#{path}"
+        # Sanitize the filename for directory traversal by expanding, and ensuring
+        # its starts with the root directory.
+        filename = File.expand_path(path, @config.resolve_swagger_root(env))
+        unless filename.start_with? @config.resolve_swagger_root(env)
+          return @app.call(env)
+        end
 
         if env['REQUEST_METHOD'] == 'GET' && File.file?(filename)
           swagger = parse_file(filename)
           @config.swagger_filter.call(swagger, env) unless @config.swagger_filter.nil?
           mime = Rack::Mime.mime_type(::File.extname(path), 'text/plain')