Skip to content

Commit

Permalink
Site updated at Thu Jan 25 11:23:01 PM PST 2024
Browse files Browse the repository at this point in the history
  • Loading branch information
@presidentbeef
presidentbeef committed Jan 26, 2024
1 parent ef9c11c commit ff77d1d
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 2 deletions.
2 changes: 1 addition & 1 deletion docs/warning_types/index.html
View file
Expand Up @@ -100,7 +100,7 @@ <h1 class="entry-title">Warning Types</h1>
<li><a href="/docs/warning_types/information_disclosure">Information Disclosure</a></li>
<li><a href="/docs/warning_types/CVE-2011-0446">Mail Link</a></li>
<li><a href="/docs/warning_types/mass_assignment">Mass Assignment</a></li>
<li><a href="/docs/warnings_types/path_traversal">Path Traversal</a></li>
<li><a href="/docs/warning_types/path_traversal">Path Traversal</a></li>
<li><a href="/docs/warning_types/remote_code_execution">Remote Code Execution</a></li>
<li><a href="/docs/warning_types/remote_code_execution_yaml_load">Remote Execution in YAML.load</a></li>
<li><a href="/docs/warning_types/session_manipulation">Session Manipulation</a></li>
Expand Down
14 changes: 14 additions & 0 deletions docs/warning_types/path_traversal/index.html
View file
Expand Up @@ -112,6 +112,20 @@ <h2 id="pathname-confusion">Pathname Confusion</h2>

<p>Exercise extreme caution when passing user-provided input to this function.</p>

<h3 id="additional-protections">Additional Protections</h3>

<p>Besides coding defensively, there are additional options for protecting against path traversal:</p>

<ul>
<li>Use the ActiveStorage module for handling uploaded files and store them in a service like S3, rather than storing user data on the same server or directory as the application.</li>
<li>Configure permissions on the application server to disallow writing files or reading files outside of the application directory.</li>
<li>Never include user-provided values in the file path or the file name.</li>
</ul>

<p>A common pattern is to store files using application-generated file names, but keep a record of the user-provided name. When the user downloads the file, the <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#attr-download"><code class="language-plaintext highlighter-rouge">download</code></a> attribute and/or the <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition">Content Disposition</a> header can be used to tell the browser the preferred name of the file, which can be the original user-provided name. Note that libraries like ActiveStorage will handle this for you.</p>

<p>However, be careful if users can download files named by <em>other</em> users. Overall, it is safer to generate file names from known-safe values.</p>

<hr />
<p>Back to <a href="/docs/warning_types">Warning Types</a></p>

Expand Down
2 changes: 1 addition & 1 deletion feed.xml
View file
@@ -1,4 +1,4 @@
<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="3.9.3">Jekyll</generator><link href="https://brakemanscanner.org/feed.xml" rel="self" type="application/atom+xml" /><link href="https://brakemanscanner.org/" rel="alternate" type="text/html" /><updated>2024-01-25T17:10:18-08:00</updated><id>https://brakemanscanner.org/feed.xml</id><title type="html">Brakeman</title><entry><title type="html">Brakeman 6.1.0 Released</title><link href="https://brakemanscanner.org/blog/2023/12/04/brakeman-6-dot-1-dot-0-released" rel="alternate" type="text/html" title="Brakeman 6.1.0 Released" /><published>2023-12-04T22:30:00-08:00</published><updated>2023-12-04T22:30:00-08:00</updated><id>https://brakemanscanner.org/blog/2023/12/04/brakeman-6-dot-1-dot-0-released</id><content type="html" xml:base="https://brakemanscanner.org/blog/2023/12/04/brakeman-6-dot-1-dot-0-released">&lt;p&gt;It’s been a while!&lt;/p&gt;
<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="3.9.3">Jekyll</generator><link href="https://brakemanscanner.org/feed.xml" rel="self" type="application/atom+xml" /><link href="https://brakemanscanner.org/" rel="alternate" type="text/html" /><updated>2024-01-25T23:22:45-08:00</updated><id>https://brakemanscanner.org/feed.xml</id><title type="html">Brakeman</title><entry><title type="html">Brakeman 6.1.0 Released</title><link href="https://brakemanscanner.org/blog/2023/12/04/brakeman-6-dot-1-dot-0-released" rel="alternate" type="text/html" title="Brakeman 6.1.0 Released" /><published>2023-12-04T22:30:00-08:00</published><updated>2023-12-04T22:30:00-08:00</updated><id>https://brakemanscanner.org/blog/2023/12/04/brakeman-6-dot-1-dot-0-released</id><content type="html" xml:base="https://brakemanscanner.org/blog/2023/12/04/brakeman-6-dot-1-dot-0-released">&lt;p&gt;It’s been a while!&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Changes since 6.0.1:&lt;/em&gt;&lt;/p&gt;

Expand Down

0 comments on commit ff77d1d

Please sign in to comment.