GHSA-hg3h-g7xc-f7vp MEDIUM rubygems/view_component

CVE: CVE-2026-44837

Summary

The system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix.

Severity: Medium; test-route scoped.

Example:

Allowed base:  /app/tmp/view_components
Outside path:  /app/tmp/view_components_evil/secret.html.erb

The outside path is not inside the base directory, but it passes:

@path.start_with?(base_path)

Relevant Code

app/controllers/view_components_system_test_controller.rb:

base_path = ::File.realpath(self.class.temp_dir)
@path = ::File.realpath(params.permit(:file)[:file], base_path)
raise ViewComponent::SystemTestControllerNefariousPathError unless @path.start_with?(base_path)

The route then renders the resolved file:

render file: @path

Exploit Flow

Example request:

GET /_system_test_entrypoint?file=../view_components_evil/secret.html.erb

Flow:

1. base_path resolves to .../tmp/view_components.

2. The payload resolves to .../tmp/view_components_evil/secret.html.erb.

3. That path is outside the intended temp directory.

4. The string prefix check still passes.

5. Rails renders the sibling file.

The route is mounted only in Rails.env.test?, which is why Medium is more appropriate than P1. The issue matters if test routes are reachable in shared CI, staging, review apps, or any accidentally exposed test-mode deployment.

Targeted Fuzz Result

The following sibling paths passed an equivalent realpath plus start_with? harness while resolving outside the base directory:

../view_components_evil/secret.html
../view_components2/poc.html
../view_components.bak/poc.html
../view_components-old/poc.html
../view_componentsx/poc.html

PoC Test

Create test/sandbox/test/system_test_entrypoint_path_traversal_poc_test.rb:

# frozen_string_litera

📌 来源: GitHub-Advisory | 🆔 CVE-2026-44837 | 📅 2026-05-08