Exercise extreme caution when passing user-provided input to this function.
+
Additional Protections
+
+
Besides coding defensively, there are additional options for protecting against path traversal:
+
+
+
Use the ActiveStorage module for handling uploaded files and store them in a service like S3, rather than storing user data on the same server or directory as the application.
+
Configure permissions on the application server to disallow writing files or reading files outside of the application directory.
+
Never include user-provided values in the file path or the file name.
+
+
+
A common pattern is to store files using application-generated file names, but keep a record of the user-provided name. When the user downloads the file, the download attribute and/or the Content Disposition header can be used to tell the browser the preferred name of the file, which can be the original user-provided name. Note that libraries like ActiveStorage will handle this for you.
+
+
However, be careful if users can download files named by other users. Overall, it is safer to generate file names from known-safe values.
diff --git a/feed.xml b/feed.xml
index 8b213a972..fccfa8f6c 100644
--- a/feed.xml
+++ b/feed.xml
@@ -1,4 +1,4 @@
-Jekyll2024-01-25T17:10:18-08:00https://brakemanscanner.org/feed.xmlBrakemanBrakeman 6.1.0 Released2023-12-04T22:30:00-08:002023-12-04T22:30:00-08:00https://brakemanscanner.org/blog/2023/12/04/brakeman-6-dot-1-dot-0-released<p>It’s been a while!</p>
+Jekyll2024-01-25T23:22:45-08:00https://brakemanscanner.org/feed.xmlBrakemanBrakeman 6.1.0 Released2023-12-04T22:30:00-08:002023-12-04T22:30:00-08:00https://brakemanscanner.org/blog/2023/12/04/brakeman-6-dot-1-dot-0-released<p>It’s been a while!</p>
<p><em>Changes since 6.0.1:</em></p>