We should be able to access publicly available (e.g., tester.jar, checkstyle.rkt, etc.) files from Bottlenose. These
Solution
Route for /resources added to config.
FilesController updated to handle files coming out of lib/assets.
Testing added for both upload and resource methods of FilesController
Additional Notes
Initially was thought allowing any file in lib/assets with introduce a directory traversal vulnerability, however Rails seems to auto-magically collapse ../ into just /.
Problem Description
We should be able to access publicly available (e.g., tester.jar, checkstyle.rkt, etc.) files from Bottlenose. These
Solution
/resources
added toconfig
.FilesController
updated to handle files coming out oflib/assets
.upload
andresource
methods ofFilesController
Additional Notes
Initially was thought allowing any file in lib/assets with introduce a directory traversal vulnerability, however Rails seems to auto-magically collapse
../
into just/
.Linked Issue
273