Skip to content

fix(security): block file extension probes and dotfile access#140

Merged
newstler merged 1 commit intomainfrom
security/block-file-extension-probes
Mar 30, 2026
Merged

fix(security): block file extension probes and dotfile access#140
newstler merged 1 commit intomainfrom
security/block-file-extension-probes

Conversation

@newstler
Copy link
Copy Markdown
Owner

@newstler newstler commented Mar 30, 2026

Summary

  • Enhance MaliciousPathBlocker middleware to block requests for file extensions (.sql, .txt, .sh, etc.) when no matching file exists in public/
  • Block dotfile requests (.rbenv-vars, .yarnrc, .dockerignore, etc.) as known scanner probes
  • Tighten catch-all route constraints to exclude paths with dots, so static file requests fall through to public/ properly

Test plan

  • All 124 tests pass
  • RuboCop clean
  • Brakeman 0 warnings
  • New tests for dotfile blocking, unknown file extension blocking, and known public file passthrough (robots.txt, favicon.ico)

🤖 Generated with Claude Code

@newstler @claude
fix(security): block file extension probes and dotfile access in midd…
07ddd87 
…leware

Enhance MaliciousPathBlocker to catch scanner probes that request paths with
file extensions (e.g. /delete.sql, /secrets.txt) when no matching file exists
in public/. Also block dotfile requests (.rbenv-vars, .yarnrc, etc.) and
tighten catch-all route constraints to exclude paths containing dots so
static file requests fall through properly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@newstler newstler merged commit 38167b4 into main Mar 30, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@newstler