ruby.lang.security.file-disclosure.file-disclosure

Verifed by r2c

Community Favorite

semgrep

Author

97,918

Download Count*

LGPL Commons Clause

License

Special requests can determine whether a file exists on a filesystem that's outside the Rails app's root directory. To fix this, set config.serve_static_assets = false.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: file-disclosure
    message: Special requests can determine whether a file exists on a filesystem
      that's outside the Rails app's root directory. To fix this, set
      config.serve_static_assets = false.
    metadata:
      cwe:
        - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory
          ('Path Traversal')"
      references:
        - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_file_disclosure.rb
        - https://groups.google.com/g/rubyonrails-security/c/23fiuwb1NBA/m/MQVM1-5GkPMJ
      category: security
      technology:
        - ruby
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Path Traversal
    languages:
      - ruby
    severity: ERROR
    pattern: config.serve_static_assets = true
    fix-regex:
      regex: =(\s)*true
      replacement: = false

Examples

file-disclosure.rb

def bad_file_disclosure
    # ruleid: file-disclosure
    config.serve_static_assets = true
end

def ok_file_disclosure
    # ok: file-disclosure
    config.serve_static_assets = false
end

Short Link: https://sg.run/qrR1