Fix root prefix bug in Rack::Static

jeremyevans · ioquatix · commit a17cb99b3440 · 2026-04-01T15:12:27.000+13:00
This is similar to the fix of CVE-2026-22860 for Rack::Directory.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@ All notable changes to this project will be documented in this file. For info on
 - [CVE-2026-34826](https://github.com/advisories/GHSA-x8cg-fq8g-mxfx) Multipart byte range processing allows denial of service via excessive overlapping ranges.
 - [CVE-2026-34835](https://github.com/advisories/GHSA-g2pf-xv49-m2h5) `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.
 - [CVE-2026-34830](https://github.com/advisories/GHSA-qv7j-4883-hwh7) `Rack::Sendfile` header-based `X-Accel-Mapping` regex injection enables unauthorized `X-Accel-Redirect`.
+- [CVE-2026-34785](https://github.com/advisories/GHSA-h2jq-g4cq-5ppq) `Rack::Static` prefix matching can expose unintended files under the static root.
 
 ## [3.1.20] - 2026-02-16
 
diff --git a/lib/rack/static.rb b/lib/rack/static.rb
@@ -93,6 +93,9 @@ class Static
     def initialize(app, options = {})
       @app = app
       @urls = options[:urls] || ["/favicon.ico"]
+      if @urls.kind_of?(Array)
+        @urls = @urls.map { |url| [url, url.end_with?('/') ? url : "#{url}/".freeze].freeze }.freeze
+      end
       @index = options[:index]
       @gzip = options[:gzip]
       @cascade = options[:cascade]
@@ -115,7 +118,7 @@ def overwrite_file_path(path)
     end
 
     def route_file(path)
-      @urls.kind_of?(Array) && @urls.any? { |url| path.index(url) == 0 }
+      @urls.kind_of?(Array) && @urls.any? { |url, url_slash| path == url || path.start_with?(url_slash) }
     end
 
     def can_serve(path)
diff --git a/test/spec_static.rb b/test/spec_static.rb
@@ -266,6 +266,21 @@ def static(app, *args)
     res.headers['cache-control'].must_be_nil
   end
 
+  it "not allow directory traversal via root prefix bypass" do
+    Dir.mktmpdir do |dir|
+      root = File.join(dir, "root")
+      outside = "#{root}_test"
+      FileUtils.mkdir_p(root)
+      FileUtils.mkdir_p(outside)
+      FileUtils.touch(File.join(outside, "test.txt"))
+
+      app = Rack::Static.new(proc { |env| [403, {}, ""] }, root: dir, urls: ["/root"])
+      res = Rack::MockRequest.new(app).get("/root_test/test.txt")
+
+      res.must_be :forbidden?
+    end
+  end
+
   it "expands the root path upon the middleware initialization" do
     relative_path = STATIC_OPTIONS[:root].sub("#{Dir.pwd}/", '')
     opts = { urls: [""], root: relative_path, index: 'index.html' }
