Don't render arbitrary RABL templates

This could be used to execute arbitrary files on the host system, as
well as disclosing the existence of files on the system.

Signed-off-by: Jeff Dutil <>
jhawthorn authored and JDutil committed Jul 24, 2015
1 parent 203657e commit a0cc2752ad5f1ca1d0015b8e8e185104e5830a2a
Showing with 2 additions and 2 deletions.
  1. +2 −2 api/app/views/spree/api/taxonomies/show.v1.rabl
@@ -1,7 +1,7 @@
object @taxonomy
if set = params[:set]
extends "spree/api/taxonomies/#{set}"
if params[:set] == 'nested'
extends "spree/api/taxonomies/nested"
attributes *taxonomy_attributes

