Permalink
Browse files

Regression test for rendering file from absolute path

Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.
  • Loading branch information...
eileencodes authored and rafaelfranca committed Jan 28, 2016
1 parent acb5572 commit c03c26cd524856c6fc720a7668393a55e3667700
Showing with 11 additions and 0 deletions.
  1. +11 −0 actionpack/test/controller/render_test.rb
@@ -310,6 +310,17 @@ def test_dynamic_render_with_file
response.body
end
def test_dynamic_render_with_absolute_path
file = Tempfile.new
file.write "secrets!"
file.flush
assert_raises ActionView::MissingTemplate do
response = get :dynamic_render, { id: file.path }
end
ensure
file.unlink
end
def test_dynamic_render
assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))
assert_raises ActionView::MissingTemplate do

0 comments on commit c03c26c

Please sign in to comment.