After I looked up the source of the 'high_voltage' gem, I was able to "solve" my problem by just sending the raw file inline:
# in /app/controllers/pages_controller.rb
def show
logger.debug "Current page is: #{current_page}"
custom_authentication current_page
send_file "app/views/#{current_page}", :disposition => 'inline'
# super
end
This is the skipped super method of the HighVoltage::PagesController
:
# source of 'high_voltage' gem
# in app/controllers/high_voltage/pages_controller.rb
def show
render :template => current_page
end
I'm aware of the security risk since current_page
is derived from params[:id]
. However, the HighVoltage::PageFinder
apparently sanitizes the given input:
# source of 'high_voltage' gem
# in lib/high_voltage/page_finder.rb
VALID_CHARACTERS = "a-zA-Z0-9~!@$%^&*()#`_+-=\"{}|[];',?".freeze
...
def clean_path
path = Pathname.new("/#{clean_id}")
path.cleanpath.to_s[1..-1]
end
def clean_id
@page_id.tr("^#{VALID_CHARACTERS}", '')
end
Navigating to http://localhost:3000/pages/../shouldNotBeAccessed.html
leads to http://localhost:3000/shouldNotBeAccessed.html
and the PagesController
is never called, which is OK, and http://localhost:3000/pages/something/../somethingElse.html
calls the PagesController
and the logger gives me "Current page is: pages/somethingElse.html", so path traversal is possible as long it happens under app/views/pages/.. which is a acceptable behaviour for me.