When Sinatra is run via Puma, is configured with `protection` disabled, and hosts static files, a directory traversal bug exists.
POC:
gem install puma sinatra # use puma because webrick throws a Bad URI error
ruby -r sinatra -e "set protection: false, public_folder: Dir.pwd, static: true"
It looks like this is known[0][1] and the PR comment explains that it does not introduce a directory traversal bug, however it actually does. It would be fair to say that the `rack-protection` middleware mitigates this from being exploited, but if there is a code path to this method that includes a directory traversal payload, it can be exploited. Yes, it is true that the default configuration (protection enable) does prevent this from happening, however even with protection disabled, should it be possible to access an arbitrary file via directory traversal?
Mathew Rowley