From 020d6fda29c1f04818dbf467764fc8ac16b7042f Mon Sep 17 00:00:00 2001
From: eileencodes <eileencodes@gmail.com>
Date: Thu, 28 Jan 2016 14:18:01 -0500
Subject: Regression test for rendering file from absolute path

Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.
---
 actionpack/test/controller/render_test.rb | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'actionpack/test')

diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
index d1b9586533..2e1a687513 100644
--- a/actionpack/test/controller/render_test.rb
+++ b/actionpack/test/controller/render_test.rb
@@ -270,6 +270,17 @@ class ExpiresInRenderTest < ActionController::TestCase
       response.body
   end
 
+  def test_dynamic_render_with_absolute_path
+    file = Tempfile.new
+    file.write "secrets!"
+    file.flush
+    assert_raises ActionView::MissingTemplate do
+      response = get :dynamic_render, params: { id: file.path }
+    end
+  ensure
+    file.unlink
+  end
+
   def test_dynamic_render
     assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))
     assert_raises ActionView::MissingTemplate do
-- 
cgit v1.2.3