0

I am performing White Box testing on Rails application with static code analyzing tools like brakeman, I came across an instance where the developer is loading images using file.open.

file = File.open("#{Rails.root}/app/assets/path/image.jpg")

Due to my limited knowledge in rails, I am wondering if that's vulnerable to LFI Issue or not. According to my knowledge if we use File.open([:path]) user-defined parameter then it will be vulnerable to LFI. But have confusion in case of rails.root.

Thanks

Captain-Robot
  • 3
  • 1

1 Answers1

1

Rails.root appears to return the root directory of the Rails app. As this is not user controlled input, it is not/cannot be used for LFI of any sort.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
  • Which concludes to that brakeman just reporting because of File.open has been used, considering a false positive then. Anyways, thank you!!! – Captain-Robot Oct 07 '19 at 16:50