Sanitize directory traversal in middleware

rswag-api/lib/rswag/api/middleware.rb

@@ -13,7 +13,11 @@ def initialize(app, config)
 
       def call(env)
         path = env['PATH_INFO']
-        filename = "#{@config.resolve_swagger_root(env)}/#{path}"
+        # Sanitize the filename for directory traversal by expanding, and matching the swagger root directory
+        filename = File.expand_path(File.join(@config.resolve_swagger_root(env), path))
+        unless filename.match Regexp.new('^' + Regexp.escape(@config.resolve_swagger_root(env)))
+          return @app.call(env)
+        end
 
         if env['REQUEST_METHOD'] == 'GET' && File.file?(filename)
           swagger = parse_file(filename)