From efd4ea48dfc4840ca2650d9a93287a67d4de8885 Mon Sep 17 00:00:00 2001
From: Sergio <smaisidoro@gmail.com>
Date: Thu, 6 Jul 2023 14:26:48 +0300
Subject: [PATCH] Use starts_with? and simplify file expansion

---
 rswag-api/lib/rswag/api/middleware.rb | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rswag-api/lib/rswag/api/middleware.rb b/rswag-api/lib/rswag/api/middleware.rb
index d6de5c31..ff9a2252 100644
--- a/rswag-api/lib/rswag/api/middleware.rb
+++ b/rswag-api/lib/rswag/api/middleware.rb
@@ -13,9 +13,10 @@ def initialize(app, config)
 
       def call(env)
         path = env['PATH_INFO']
-        # Sanitize the filename for directory traversal by expanding, and matching the swagger root directory
-        filename = File.expand_path(File.join(@config.resolve_swagger_root(env), path))
-        unless filename.match Regexp.new('^' + Regexp.escape(@config.resolve_swagger_root(env)))
+        # Sanitize the filename for directory traversal by expanding, and ensuring
+        # its starts with the root directory.
+        filename = File.expand_path(path, @config.resolve_swagger_root(env))
+        unless filename.start_with? @config.resolve_swagger_root(env)
           return @app.call(env)
         end