I’m looking for a way to force file operations under a given root
directory. Somewhat similar to chroot, but purely in Ruby.
For the surface syntax I have in mind something like this
File.with_root ‘/var/tmp/safe_place’ do
File.open(’…/…/etc/passwd’, ‘w’) do |f|
f.puts ‘Let’s try it…’ # No! -> Exception
end
end
I have, unfortunately, no clear idea how to implement File#with_root.
I’m not even sure it’s possible, or possible without an inordinate
amount of work.
My concrete problem is rather more mundane and can probably be solved
easier. I have uploaded file data and paths where they ought to be
stored. I’d like to make sure that they don’t escape from underneath
the top-level directory where they are supposed to stay.
That changes the cwd, the OP wants the block to believe that /var/tmp/
safe_place is /. Dir.entries("/") should list /var/tmp/safe_place,
system(“ls /”) I guess should do the same.
My concrete problem is rather more mundane and can probably be solved
easier. I have uploaded file data and paths where they ought to be
stored. I’d like to make sure that they don’t escape from underneath
the top-level directory where they are supposed to stay.
To accomplish this you sanitize the filename, then compute
File.expand_path inside a Dir.chdir block (if relative filenames are
allowed), and check whether the result is out of the root via String
comparisons on the names (regexps, etc.)
My concrete problem is rather more mundane and can probably be
solved easier. I have uploaded file data and paths where they ought
to be stored. I’d like to make sure that they don’t escape from
underneath the top-level directory where they are supposed to stay.
To accomplish this you sanitize the filename, then compute
File.expand_path inside a Dir.chdir block (if relative filenames are
allowed), and check whether the result is out of the root via String
comparisons on the names (regexps, etc.)
Yes, thanks, that’s more or less what I’m doing now and relative
filenames are disallowed anyway.
Michael
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.