1

I am getting file access warning for following code:

FileUtils.rm(File.join(Project.with_deleted.find_by(
  :user_id => (User.find_by(:username => (params[:user_id])).id),
  :name => (params[:id])
).satellitedir, params[:image_name]))

warning is:

When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

I tried to sanitize params with:

 if !params[:image_name].gsub(/\\/, '').index('../')
   #my code
 end

but this seem to have no effect on warning of hakiri warning.

4

1 回答 1

0

发生这种情况是因为一种称为tainting的技术。

基本上,该params对象被“污染”,因为它被标记为来自用户输入。

相反,您需要验证对象,然后自己清除它。这是一篇关于它的好文章:http: //phrogz.net/programmingruby/taint.html

于 2015-04-03T21:11:30.383 回答