Jruby-rack rails applications may have directory traversal issues in some configurations

[shahrutul1993]

currently I am facing issue while using warble gem. I am using Jruby based rails application.
I am able to access direct file path code in server URL which breaking security.
so I was trying to modify config/warble.rb where I have made some changes which is showing below.

config.webxml.jruby.min.runtimes = 1
config.webxml.jruby.max.runtimes = 1
config.webxml.org.eclipse.jetty.servlet.default.dirAllowed = false

after adding config, I am able to access WEB-INF directory as well as file from direct server URL which is breaking security of our application.
for example:

1. server url/WEB-INF./web.xml
2. server url/WEB-INF./config/secrets.yml
   all the files can be accessible from this directory.

Looks like this is just preventing directory access but still able to access file path code in URL directly.
Any one have any idea to fix this issue in warble?
Any help would be appreciated.
Thanks.

[thimios]

any updates on this? We are also facing the same issue. Adding

config.webxml.org.eclipse.jetty.servlet.default.dirAllowed = false

does not have an effect on the generated web.xml file

and opening localhost:8080/test..%2F..%2F seems to just render a listing of the server's directory files

[kares]

this bug relates to the servlet-rack bridge https://github.com/jruby/jruby-rack not the (warbler) packaging tool.

[chadlwilson]

@kares if this is indeed the case and is valid for non-jetty, do you want to move this issue to the other project when you have a minute?

[chadlwilson]

@kares are you able to share any thoughts on which circumstances this would have to be the case to be true? Did you happen to replicate it?

Is this a rails root problem or some issue with query path parsing before offloading to the application?

[headius]

We can transfer this issue to jruby-rack if it is confirmed to still be happening. This was filed a couple of years ago, and I'm not sure what versions of libraries were used.

[kares]

my initial thought was that we do something wrong with the RackFilter and jruby-rack's attempt to allow for serving assets (packaged with the .war) as well as dynamic requests using the filter /* mapping.

no replication or ideas about fixing, would need to sit down a look into it...

[chadlwilson]

Ok, thanks! I'll have a play.