Add path checks in #send_file and #get_git_dir

The Grack::Server class should reject invalid paths supplied by the user
using the regular expressions in line 10-23 of lib/grack/server.rb. This
change adds some defense in depth against invalid paths.

Author: jacobvosmaer

Diff for: lib/grack/server.rb

@@ -161,6 +161,13 @@ def send_file(reqfile, content_type)
       reqfile = File.join(@dir, reqfile)
       return render_not_found if !F.exists?(reqfile)
 
+      if reqfile == File.realpath(reqfile)
+        # reqfile looks legit: no path traversal, no leading '|'
+      else
+        # reqfile does not look trustworthy; abort
+        return render_not_found
+      end
+
       @res = Rack::Response.new
       @res.status = 200
       @res["Content-Type"]  = content_type
@@ -189,10 +196,13 @@ def send_file(reqfile, content_type)
     def get_git_dir(path)
       root = @config[:project_root] || Dir.pwd
       path = File.join(root, path)
-      if File.exists?(path) # TODO: check is a valid git directory
-        return path
+      if !File.exists?(path)
+        false
+      elsif File.realpath(path) != path # looks like path traversal
+        false
+      else
+        path # TODO: check is a valid git directory
       end
-      false
     end
 
     def get_service_type

Diff for: tests/main_test.rb

@@ -183,6 +183,22 @@ def test_git_config_upload_pack
     assert_equal 404, session.last_response.status
   end
 
+  def test_send_file
+    app1 = app
+    app1.instance_variable_set(:@dir, Dir.pwd)
+    # Reject path traversal
+    assert_equal 404, app1.send_file('tests/../tests', 'text/plain').first
+    # Reject paths starting with '|', avoid File.read('|touch /tmp/pawned; ls /tmp')
+    assert_equal 404, app1.send_file('|tests', 'text/plain').first
+  end
+
+  def test_get_git_dir
+    # Guard against non-existent directories
+    assert_equal false, app.get_git_dir('foobar')
+    # Guard against path traversal
+    assert_equal false, app.get_git_dir('/../tests')
+  end
+
   private
 
   def r