Path traversal via user-controlled template path in Rails render

High Risk cross-site-scripting
rubyrailsrenderpath-traversaltemplateweb

What it is

Path traversal vulnerability in Ruby on Rails applications where user input controls the render target (action/template/partial/file) without validation or allowlisting, enabling traversal to unintended views or files and potentially bypassing access controls or leaking sensitive data.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

User input directly controls which template, partial, or action gets rendered without validation.

Root causes

User-Controlled Template Paths

User input directly controls which template, partial, or action gets rendered without validation.

Missing Path Validation

No validation or allowlisting of template paths, allowing traversal to unauthorized files.

Fixes

1

Use Template Allowlist and Validation

Validate requested templates against a strict allowlist and map user inputs to predefined template identifiers.

2

Use Case Statements for Template Selection

Use explicit case statements to map user input to specific templates instead of dynamic paths.

3

Sanitize and Validate File Paths

If dynamic paths are necessary, sanitize input and validate against allowed directories and file patterns.

Detect This Vulnerability in Your Code

Sourcery automatically identifies path traversal via user-controlled template path in rails render and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities