Puma + Sinatra + protection disabled + static files = arbitrary file access via directory traversal

Skip to first unread message

Mathew Rowley

Oct 3, 2016, 2:22:43 PM10/3/16
to sinatrarb, Matthew Todd
When Sinatra is run via Puma, is configured with `protection` disabled, and hosts static files, a directory traversal bug exists.

gem install puma sinatra # use puma because webrick throws a Bad URI error
ruby -r sinatra -e "set protection: false, public_folder: Dir.pwd, static: true"

It looks like this is known[0][1] and the PR comment explains that it does not introduce a directory traversal bug, however it actually does. It would be fair to say that the `rack-protection` middleware mitigates this from being exploited, but if there is a code path to this method that includes a directory traversal payload, it can be exploited. Yes, it is true that the default configuration (protection enable) does prevent this from happening, however even with protection disabled, should it be possible to access an arbitrary file via directory traversal? 

Mathew Rowley

Zachary Scott

Oct 4, 2016, 10:25:50 PM10/4/16
to sina...@googlegroups.com, Matthew Todd
If disabling the protection that prevents certain attacks makes you
vulnerable to said attacks, it's not a security exploit -- please use
the rack-protection gem.
> --
> You received this message because you are subscribed to the Google Groups
> "sinatrarb" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to sinatrarb+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
0 new messages