aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoreileencodes <eileencodes@gmail.com>2016-01-28 14:18:01 -0500
committereileencodes <eileencodes@gmail.com>2016-01-28 14:25:57 -0500
commit020d6fda29c1f04818dbf467764fc8ac16b7042f (patch)
tree869199120b460ed7389406847ff152bce347215d
parent9f3730a516f30beb0050caea9539f8d6b808e58a (diff)
downloadrails-020d6fda29c1f04818dbf467764fc8ac16b7042f.tar.gz
rails-020d6fda29c1f04818dbf467764fc8ac16b7042f.tar.bz2
rails-020d6fda29c1f04818dbf467764fc8ac16b7042f.zip
Regression test for rendering file from absolute path
Test that we are not allowing you to grab a file with an absolute path outside of your application directory. This is dangerous because it could be used to retrieve files from the server like `/etc/passwd`.
-rw-r--r--actionpack/test/controller/render_test.rb11
1 files changed, 11 insertions, 0 deletions
diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
index d1b9586533..2e1a687513 100644
--- a/actionpack/test/controller/render_test.rb
+++ b/actionpack/test/controller/render_test.rb
@@ -270,6 +270,17 @@ class ExpiresInRenderTest < ActionController::TestCase
response.body
end
+ def test_dynamic_render_with_absolute_path
+ file = Tempfile.new
+ file.write "secrets!"
+ file.flush
+ assert_raises ActionView::MissingTemplate do
+ response = get :dynamic_render, params: { id: file.path }
+ end
+ ensure
+ file.unlink
+ end
+
def test_dynamic_render
assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))
assert_raises ActionView::MissingTemplate do