External control of file name or path
Description
The application dynamically constructs file or path information with user input when calling the `send_file` method in Ruby. This practice can lead to a serious security vulnerability known as Local File Inclusion (LFI), allowing attackers to read arbitrary files on the server.
Examples
Insecure Code
ruby
send_file params[:filename], x_sendfile: trueSecure Code
ruby
filename = params[:filename]; filepath = "path/to/secure/directory/#{File.basename(filename)}"; send_file filepath, x_sendfile: trueRemediation
Avoid direct user input, use `File.basename` to normalize input, and implement an allow list of permitted files or directories
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0533 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-73 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | LFI, Path Traversal |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |
References
- https://owasp.org/www-community/attacks/Path_Traversal
- https://owasp.org/Top10/A01_2021-Broken_Access_Control/
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/rails/security/brakeman/check-send-file.yaml