Module: WebSocket::ValidationHelpers

Included in:: HttpStaticFileServerHandler

Defined in:: lib/websocket/validation_helpers.rb

Overview

The ValidationHelpers module

Constant Summary collapse

FILE_SEPARATOR_DOT_PATTERN =

%r{#{File::SEPARATOR}\.}

DOT_FILE_SEPARATOR_PATTERN =

%r{\.#{File::SEPARATOR}}

QUERY_STRING_PATTERN =

%r{\?.*}

FORWARD_SLASH_PATTERN =

%r{/}

Instance Method Summary collapse

#insecure_uri?(uri) ⇒ Boolean

Simplistic dumb security check.
#sanitize_uri(uri) ⇒ Object

Instance Method Details

#insecure_uri?(uri) ⇒ `Boolean`

Simplistic dumb security check. Something more serious is required in a production environment.

Returns:

(Boolean)

# File 'lib/websocket/validation_helpers.rb', line 26

def insecure_uri?(uri)
  FILE_SEPARATOR_DOT_PATTERN.match?(uri) ||
    DOT_FILE_SEPARATOR_PATTERN.match?(uri) ||
    uri.start_with?('.') ||
    uri.end_with?('.') ||
    options[:insecure_uri_pattern].match?(uri)
end

#sanitize_uri(uri) ⇒ `Object`

# File 'lib/websocket/validation_helpers.rb', line 34

def sanitize_uri(uri)
  # Decode the path.
  uri = CGI.unescape(uri.gsub(QUERY_STRING_PATTERN, ''), WebSocket::Encoding.name)
  return nil if uri.empty? || !uri.start_with?('/')
  # Convert file separators.
  uri = uri.gsub(FORWARD_SLASH_PATTERN, File::SEPARATOR)
  return nil if insecure_uri?(uri)
  # Convert to absolute path.
  File.join(options[:web_root], uri)
end