Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: High

Problem

Parameter value used in file name

Location

app/controllers/static_controller.rb:157

send_file((File.expand_path(((Rails.root + "public/assets/") + params[:path])) + ".br"), :disposition => nil, :type => "application/javascript")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/static_controller.rb or mark it as false positive.