Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

facing security issue while creating war file Jruby based rails application #543

Open
shahrutul1993 opened this issue Jul 31, 2023 · 1 comment

Comments

@shahrutul1993
Copy link

shahrutul1993 commented Jul 31, 2023

currently I am facing issue while using warble gem. I am using Jruby based rails application.
I am able to access direct file path code in server URL which breaking security.
so I was trying to modify config/warble.rb where I have made some changes which is showing below.

config.webxml.jruby.min.runtimes = 1
config.webxml.jruby.max.runtimes = 1
config.webxml.org.eclipse.jetty.servlet.default.dirAllowed = false

after adding config, I am able to access WEB-INF directory as well as file from direct server URL which is breaking security of our application.
for example:

  1. server url/WEB-INF./web.xml
  2. server url/WEB-INF./config/secrets.yml
    all the files can be accessible from this directory.

Looks like this is just preventing directory access but still able to access file path code in URL directly.
Any one have any idea to fix this issue in warble?
Any help would be appreciated.
Thanks.

@shahrutul1993 shahrutul1993 changed the title facing issue while creating war file Jruby based rails application facing security issue while creating war file Jruby based rails application Aug 4, 2023
@thimios
Copy link

thimios commented Aug 12, 2024

any updates on this? We are also facing the same issue. Adding

config.webxml.org.eclipse.jetty.servlet.default.dirAllowed = false

does not have an effect on the generated web.xml file

and opening localhost:8080/test..%2F..%2F seems to just render a listing of the server's directory files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants