High severity7.5NVD Advisory· Published Nov 28, 2017· Updated May 13, 2026
CVE-2017-17042
CVE-2017-17042
Description
lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yardRubyGems | < 0.9.11 | 0.9.11 |
Affected products
1Patches
1b0217b3e30dcDisallow relative paths that start with ../
2 files changed · +5 −3
lib/yard/core_ext/file.rb+2 −0 modified@@ -40,6 +40,8 @@ def self.cleanpath(path) if comp == RELATIVE_PARENTDIR && !acc.empty? && acc.last != RELATIVE_PARENTDIR acc.pop next acc + elsif comp == RELATIVE_PARENTDIR && acc.empty? + next acc end acc << comp end
spec/core_ext/file_spec.rb+3 −3 modified@@ -41,12 +41,12 @@ expect(File.cleanpath('A/B/C/D/..')).to eq "A/B/C" end - it "passes the initial directory" do - expect(File.cleanpath('C/../../D')).to eq "../D" + it "does not allow relative path above root" do + expect(File.cleanpath('A/../../../../../D')).to eq "D" end it "does not remove multiple '../' at the beginning" do - expect(File.cleanpath('../../A/B')).to eq '../../A/B' + expect(File.cleanpath('../../A/B')).to eq 'A/B' end end
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.