Skip to content

Commit b391220

Browse files
nacchan99nacchan99
committed
security: Book.exist? を拡張してDynamic Render Path脆弱性を解消
- Book.exist? メソッドで対象ディレクトリ内のファイル存在確認を行うよう修正 - 不要となった SotechshaPagesController / Sotechsha2PagesController を削除
1 parent eb3e7b8 commit b391220

File tree

3 files changed

+8
-17
lines changed

3 files changed

+8
-17
lines changed

app/controllers/sotechsha2_pages_controller.rb

Lines changed: 0 additions & 7 deletions
This file was deleted.

app/controllers/sotechsha_pages_controller.rb

Lines changed: 0 additions & 7 deletions
This file was deleted.

app/models/book.rb

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,9 +19,14 @@ def find(title)
1919
end
2020

2121
def exist?(title, page)
22-
page.nil? ?
23-
self.find(title).any? :
24-
self.find(title).map(&:filename).include?(page + ".html")
22+
return false unless page.present?
23+
24+
view_paths = [
25+
Rails.root.join("app/views/books/#{title}/#{page}.html.erb"),
26+
Rails.root.join("app/views/#{title}/#{page}.html.erb")
27+
]
28+
29+
view_paths.any? { |path| File.exist?(path) }
2530
end
2631
end
2732

0 commit comments

Comments
 (0)