facing security issue while creating war file Jruby based rails application

Question

facing security issue while creating war file Jruby based rails application

Opened this issue a year ago · 0 comments

shahrutul1993 commented a year ago

currently I am facing issue while using warble gem. I am using Jruby based rails application.
I am able to access direct file path code in server URL which breaking security.
so I was trying to modify config/warble.rb where I have made some changes which is showing below.

config.webxml.jruby.min.runtimes = 1
config.webxml.jruby.max.runtimes = 1
config.webxml.org.eclipse.jetty.servlet.default.dirAllowed = false

after adding config, I am able to access WEB-INF directory as well as file from direct server URL which is breaking security of our application.
for example:

server url/WEB-INF./web.xml
server url/WEB-INF./config/secrets.yml
all the files can be accessible from this directory.

Looks like this is just preventing directory access but still able to access file path code in URL directly.
Any one have any idea to fix this issue in warble?
Any help would be appreciated.
Thanks.