id: no-path-traversal
valid:
- |
File.basename(user_input)
invalid:
- |
File.join(Rails.root, params[:file])
- |
Rails.root.join("data", user_input)
- |
send_file params[:path]
- |
File.join(Rails.root, "data", "fixed.txt")
- |
send_file Rails.root.join("public", "report.pdf")