Puma + Sinatra + protection disabled + static files = arbitrary file access via directory traversal

82 views
Skip to first unread message

Mathew Rowley

unread,
Oct 3, 2016, 2:22:43 PM10/3/16
to sinatrarb, Matthew Todd
When Sinatra is run via Puma, is configured with `protection` disabled, and hosts static files, a directory traversal bug exists.

POC:
gem install puma sinatra # use puma because webrick throws a Bad URI error
ruby -r sinatra -e "set protection: false, public_folder: Dir.pwd, static: true"

It looks like this is known[0][1] and the PR comment explains that it does not introduce a directory traversal bug, however it actually does. It would be fair to say that the `rack-protection` middleware mitigates this from being exploited, but if there is a code path to this method that includes a directory traversal payload, it can be exploited. Yes, it is true that the default configuration (protection enable) does prevent this from happening, however even with protection disabled, should it be possible to access an arbitrary file via directory traversal? 

Mathew Rowley

Zachary Scott

unread,
Oct 4, 2016, 10:25:50 PM10/4/16
to sina...@googlegroups.com, Matthew Todd
If disabling the protection that prevents certain attacks makes you
vulnerable to said attacks, it's not a security exploit -- please use
the rack-protection gem.
> --
> You received this message because you are subscribed to the Google Groups
> "sinatrarb" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to sinatrarb+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages