Use starts_with? and simplify file expansion

rswag · Jul 6, 2023 · efd4ea4 · efd4ea4
1 parent e0b3863
commit efd4ea4
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/rswag-api/lib/rswag/api/middleware.rb b/rswag-api/lib/rswag/api/middleware.rb
@@ -13,9 +13,10 @@ def initialize(app, config)
 
       def call(env)
         path = env['PATH_INFO']
-        # Sanitize the filename for directory traversal by expanding, and matching the swagger root directory
-        filename = File.expand_path(File.join(@config.resolve_swagger_root(env), path))
-        unless filename.match Regexp.new('^' + Regexp.escape(@config.resolve_swagger_root(env)))
+        # Sanitize the filename for directory traversal by expanding, and ensuring
+        # its starts with the root directory.
+        filename = File.expand_path(path, @config.resolve_swagger_root(env))
+        unless filename.start_with? @config.resolve_swagger_root(env)
           return @app.call(env)
         end