From 462c3ca1db53ed3cfc394cf5948e9c948ad1c10e Mon Sep 17 00:00:00 2001
From: Craig Ingram <cji@stripe.com>
Date: Wed, 17 Feb 2021 17:43:15 -0500
Subject: [PATCH] validate expanded path matches public_dir when serving static
 files

---
 lib/sinatra/base.rb | 1 +
 test/static_test.rb | 1 +
 2 files changed, 2 insertions(+)

diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
index 8f0d00c7cd..4b5fbb0ce2 100644
--- a/lib/sinatra/base.rb
+++ b/lib/sinatra/base.rb
@@ -1090,6 +1090,7 @@ def static!(options = {})
       return unless valid_path?(path)
 
       path = File.expand_path(path)
+      return unless path.start_with?(File.expand_path(public_dir) + '/')
       return unless File.file?(path)
 
       env['sinatra.static_file'] = path
diff --git a/test/static_test.rb b/test/static_test.rb
index 71ed5eb055..cefe55f9c1 100644
--- a/test/static_test.rb
+++ b/test/static_test.rb
@@ -97,6 +97,7 @@ class StaticTest < Minitest::Test
     mock_app do
       set :static, true
       set :public_folder, __dir__ + '/data'
+      disable :protection
     end
     get "/../#{File.basename(__FILE__)}"
     assert not_found?