Accessing a file with normal Ruby IO fails. Security issue of what?


#1

Hi,

I’m developing a small Rails 2.2.0 app. I have a slightly modified
scaffold-generated file,
PayrollSys\app\controllers\cvs_items_controller.rb, as follows:

class CvsItemsController < ApplicationController

GET /cvs_items

GET /cvs_items.xml

require ‘find’ # Added

def index
logger.info “==> index in cvs_items_controller.rb”
# @cvs_items = CvsItem.find(:all)
@cvs_items = get_csv_filenames_attributes() # Replacement

[snip]

protected
def reload
logger.info "==> Reload in cvs_items_controller.rb – RLM "
end

def get_csv_filenames_attributes # Brand new method
csv_data_dir = “…/…/public/data/csv”
values = []
Find.find(csv_data_dir) do |item|
next unless File.file?(item)
values << item
end
values
end
end

Using a logger, I have confirmed that no filenames have been returned
by File.find and that the values array remains zero length.

However, the exact same method (without the “def” and its closing
“end”), when added to a brother file in the same directory, correctly
lists the two .csv files in the
PayrollSys\public\data\csv directory (when a puts is prepended to the
closing “values” symbol).

Is there some security method that precludes accessing the files?
Would the tableless plugin be relevant, though I do want ActiveRecord
to access the application database(s).

Thanks in Advance,
Richard


#2

RichardOnRails wrote:

Hi,

I’m developing a small Rails 2.2.0 app. I have a slightly modified
scaffold-generated file,
PayrollSys\app\controllers\cvs_items_controller.rb, as follows:

class CvsItemsController < ApplicationController

GET /cvs_items

GET /cvs_items.xml

require ‘find’ # Added

def index
logger.info “==> index in cvs_items_controller.rb”
# @cvs_items = CvsItem.find(:all)
@cvs_items = get_csv_filenames_attributes() # Replacement

[snip]

protected
def reload
logger.info "==> Reload in cvs_items_controller.rb – RLM "
end

def get_csv_filenames_attributes
csv_data_dir = “…/…/public/data/csv”

do you mean “…/…/…/public/data/csv”?
or you have a public dir under the app dir?

yes it is strange but you need to go 1 dir more back…

values = []
Find.find(csv_data_dir) do |item|
  next unless File.file?(item)
  values << item
end
values

end
end

Using a logger, I have confirmed that no filenames have been returned
by File.find and that the values array remains zero length.

probably you are looking in the wrong dir

However, the exact same method (without the “def” and its closing
“end”), when added to a brother file in the same directory, correctly
lists the two .csv files in the
PayrollSys\public\data\csv directory (when a puts is prepended to the
closing “values” symbol).

Is there some security method that precludes accessing the files?
Would the tableless plugin be relevant, though I do want ActiveRecord
to access the application database(s).

Thanks in Advance,
Richard

try this:

protected
def reload
logger.info "==> Reload in cvs_items_controller.rb – RLM "
end

def get_csv_filenames_attributes
  csv_data_dir = File.expand_path(File.dirname(__FILE__) +

“…/…/…/public/data/csv/”)
logger.info “==> csv_data_dir: #{csv_data_dir}” #print the dir so
you can check if it is correct
values = []
Find.find(csv_data_dir) do |item|
logger.info “==> item in csv_data_dir: #{item}”
next unless File.file?(item)
values << item
end
values
end

Hope this help

Duilio R.


#3

Richard,

What you want is:

csv_data_dir = RAILS_ROOT + “/public/data/csv”

Rick

On Nov 22, 3:37 pm, RichardOnRails


#4

Hi Duilio,

Thanks for your responses. I’ll try them out today. I have a slight
digression: in the process of removing my debugging code I managed to
mess a few things up, which I’ll have to fix first. I’ll post back
with the outcome.

PS: I’m sorry for my English

No apology necessary. It’s not the form of your expression that
matters, it’s the content of your message (with apologies to Martin
Luther King’s memory.)

Best wishes,
Richard

On Nov 22, 9:39 pm, Duilio R. removed_email_address@domain.invalid


#5

Duilio R. wrote:

RichardOnRails wrote:

Hi,

I’m developing a small Rails 2.2.0 app. I have a slightly modified
scaffold-generated file,
PayrollSys\app\controllers\cvs_items_controller.rb, as follows:

class CvsItemsController < ApplicationController

GET /cvs_items

GET /cvs_items.xml

require ‘find’ # Added

def index
logger.info “==> index in cvs_items_controller.rb”
# @cvs_items = CvsItem.find(:all)
@cvs_items = get_csv_filenames_attributes() # Replacement

[snip]

protected
def reload
logger.info "==> Reload in cvs_items_controller.rb – RLM "
end

def get_csv_filenames_attributes
csv_data_dir = “…/…/public/data/csv”

do you mean “…/…/…/public/data/csv”?
or you have a public dir under the app dir?

yes it is strange but you need to go 1 dir more back…

no, my error
is relative to the dir where you start rails

if you use
ruby script/server
and
csv_data_dir = “public/data/csv”
it works

values = []
Find.find(csv_data_dir) do |item|
  next unless File.file?(item)
  values << item
end
values

end
end

Using a logger, I have confirmed that no filenames have been returned
by File.find and that the values array remains zero length.

probably you are looking in the wrong dir

However, the exact same method (without the “def” and its closing
“end”), when added to a brother file in the same directory, correctly
lists the two .csv files in the
PayrollSys\public\data\csv directory (when a puts is prepended to the
closing “values” symbol).

Is there some security method that precludes accessing the files?
Would the tableless plugin be relevant, though I do want ActiveRecord
to access the application database(s).

Thanks in Advance,
Richard

try this:

protected
def reload
logger.info "==> Reload in cvs_items_controller.rb – RLM "
end

def get_csv_filenames_attributes
  csv_data_dir = File.expand_path(File.dirname(__FILE__) +

“…/…/…/public/data/csv/”)
logger.info “==> csv_data_dir: #{csv_data_dir}” #print the dir so
you can check if it is correct
values = []
Find.find(csv_data_dir) do |item|
logger.info “==> item in csv_data_dir: #{item}”
next unless File.file?(item)
values << item
end
values
end

Hope this help

Duilio R.

Errata corrige

protected
def reload
logger.info "==> Reload in cvs_items_controller.rb – RLM "
end

def get_csv_filenames_attributes
  csv_data_dir = File.expand_path(File.dirname(__FILE__) +
                               "/../../public/data/csv/")
  values = []
  logger.info "==>  csv_data_dir: #{csv_data_dir}"
  Find.find(csv_data_dir) do |item|
    next unless File.file?(item)
    logger.info "==>  file in csv_data_dir: #{item}"
    values << item
  end
  values
end

I hope this is correct :wink:

Duilio R.

PS: I’m sorry for my English


#6

Hi Rick,

csv_data_dir = RAILS_ROOT + “/public/data/csv”

Now that looks like REAL Ruby-on-Rails programming.

Many thanks.

I’ll post back on success/failure later today or tomorrow.

Best wishes,
Richard


#7

Hey Rick,

RAILS_ROOT was the key. I never would have dreamed that up by
myself, despite my handsome collection of Rails books :slight_smile:

Thanks and Best Wishes,
Richard