We are sunsetting Hakiri on January 31 2022. To learn more please refer to this document.

Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Medium

Problem

Model attribute used in file name

Location

app/models/user_export.rb:13

File.delete("#{UserExport.base_directory}/#{"#{expired_export.file_name}-#{expired_export.id}.csv.gz"}")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/user_export.rb or mark it as false positive.