Path Traversal in Render Function
Description
The application dynamically constructs file or path information with user input when calling the `render` function, allowing end-users to request arbitrary local files and potentially leak sensitive information.
Examples
Insecure Code
ruby
render params[:page]Secure Code
ruby
valid_pages = ['home', 'about_us', 'contact']; render params[:page] if valid_pages.include?(params[:page])Remediation
Avoid direct user input, use `File.basename` to normalize user input, and implement an allow-list of permitted files or directories to check user input against.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0532 |
| Category | AccessControl |
| Severity | MEDIUM |
| CWE | CWE-22 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | Path Traversal, Local File Inclusion |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |
References
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/rails/security/brakeman/check-render-local-file-include.yaml
- https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion