Create custom validator for file path params in the API
Problem to solve
In the past, we have had problems with invalid file paths (ie include path traversal characters)
At the moment, in the API we don't perform any validation on this kind of param.
Further details
We can prevent some security problems if we can detect and stop the request when the file path is invalid.
Proposal
The idea is to create a Grape::Validations
object (lib/api/helpers/custom_validators.rb
) that checks if the file path includes path traversal characters. We have a method that does exactly that. We can just add that method to the new validator.
Then we have to review the different endpoints (for example searching for :file_path,
params) and add this validator.
What does success look like, and how can we measure that?
Endpoints that accept a file path as a param should raise an error when it is invalid.