Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Enabling config.serve_static_assets in a Rails application allows users to request files outside the app’s root directory, exposing sensitive files on the server. This misconfiguration can let attackers probe and access unintended files.
Impact#
If exploited, attackers could discover the presence of sensitive files or even access confidential data stored outside the application’s intended directory. This could lead to data leaks, exposure of configuration files, or aid further attacks on the server.