Help secure my location block

I have files that are served by the backend web app at
|/xxx/File?file=yyy.png|. These files are stored at |/storage/files| on
the server. So, I wrote a location block to serve these files from
storage directly from the web server.

Here is my first take:

|location /xxx/File {
if ($request_method = POST ) {
proxy_pass http://backend;
}

 alias /storage/files/;
 try_files $arg_file =404;

}
|

The issue is I can do something like |/xxx/File?file=…/…/etc/foo.bar|
and nginx will serve the foo.bar file for me. So, I switched to this
following:

|location /xxx/File {
if ($request_method = POST ) {
proxy_pass http://backend;
}
if ($arg_file ~ ..) { return 403; }
alias /storage/files/$arg_file;

}
|

Can someone point me to any corner cases that can be exploited and what
is the best practice for situations like these?

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs