rswag-api 2.9.0 → 2.10.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2f6a479873bdc22b8568bf5918bd56380c40dabb9b45577bc2b0ce3a439a226c
-  data.tar.gz: d20109c13e90ab97c31fd8ae3a60a8e5c20a3be0598405ee4bcfccf71c6b1648
+  metadata.gz: 4788a47931d1d98a8f905cf8afed655c53afdc1fe2ac7912a76c0b5aa7dfc649
+  data.tar.gz: e4a1cda783a67dd2707b528ac9796dd6ba487dc42cf5d9befb15e232b747ac74
 SHA512:
-  metadata.gz: 41b18aa4dd83c021d3b3a9135c7564d085eac48d909f4bf20cfc20cc174e1341f4216a9902384ab79ca7107e9112ea56bec30f80139aa67e269e38975d61f5b3
-  data.tar.gz: 3801e309323ec05e77ac47bcd6bd33ef682b979481723d32d063b419af75201667e362ab01df8ecfd06cda165c96123191820a127cb0690af8b5d6d450f3b79c
+  metadata.gz: c7f8c2762098b6ff3320b1724dd51dd209bbdde3d45fcda24f4f6ac027eafa44b08fbdb37f113c0fafdec807c2f12ea4c6932a246879f8a5545e1eafca1c4686
+  data.tar.gz: 2f1013896940b59035472c846f8585479f150389c5aa8e7df327ab64e308ecc29f69d8322e78ff59012254a642ef7953953067e849ffd46208bc6fe02d56df4a

data/lib/rswag/api/middleware.rb

@@ -13,7 +13,12 @@ module Rswag
 
       def call(env)
         path = env['PATH_INFO']
-        filename = "#{@config.resolve_swagger_root(env)}/#{path}"
+        # Sanitize the filename for directory traversal by expanding, and ensuring
+        # its starts with the root directory.
+        filename = File.expand_path(File.join(@config.resolve_swagger_root(env), path))
+        unless filename.start_with? @config.resolve_swagger_root(env)
+          return @app.call(env)
+        end
 
         if env['REQUEST_METHOD'] == 'GET' && File.file?(filename)
           swagger = parse_file(filename)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rswag-api
 version: !ruby/object:Gem::Version
-  version: 2.9.0
+  version: 2.10.1
 platform: ruby
 authors:
 - Richie Morris
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-04-24 00:00:00.000000000 Z
+date: 2023-07-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties