Secure against directory traversal

We're using checksum as file name and verify that all externally-controllable path components are harmless.

Secure against directory traversal
72c27559 · tribut · 4ddd1ef4 · 72c27559 · 72c27559
Verified Commit 72c27559 authored 4 months ago by tribut
--- a/app/models/filedrop_file.rb
+++ b/app/models/filedrop_file.rb
 class FiledropFile < ApplicationRecord
  belongs_to :session
+  validates :checksum, presence: true, format: { with: /\A[0-9a-fA-F]+\z/, message: "only allows hexadecimal characters" }

  def sanitize_filename(filename)
    filename.gsub(/[^\w\s.-]/, '_')
@@ -36,6 +37,6 @@ class FiledropFile < ApplicationRecord
      session.ref_id
    )
    FileUtils.mkdir_p(dir)
-    return File.join(dir, name)
+    return File.join(dir, checksum)
  end
 end
--- a/app/models/session.rb
+++ b/app/models/session.rb
@@ -13,6 +13,7 @@ class Session < ApplicationRecord
  scope :future, -> { where(starts_at: Time.now..) }

  validates :ref_id, uniqueness: { scope: :conference_id }
+  validates :ref_id, format: { with: /\A[0-9a-fA-F-]+\z/, message: "only allows hexadecimal characters and minus" }

  after_update :notify_if_changed