Improper asset management in Sinatra environments often leads to Information Disclosure and Path Traversal. When developers bypass standard static middleware or fail to sanitize dynamic file requests, they risk exposing source code, environment variables, and internal configuration. In a hacker-centric view: if I can use your asset route to reach /etc/passwd or your .env file, your asset management is broken.

The Vulnerable Pattern

get '/download/:file' do
  # VULNERABLE: Direct concatenation allows path traversal (e.g., ../../../config.ru)
  file_path = "./public/uploads/#{params[:file]}"
  send_file file_path
end

The Secure Implementation

The vulnerability stems from trusting user input in file system operations. The secure implementation applies three layers of defense: First, it uses 'File.basename' to strip any directory traversal sequences (like ../). Second, it uses 'File.expand_path' and 'start_with?' to ensure the resolved path remains trapped within the designated 'uploads' directory. Third, it leverages Sinatra's built-in static settings for non-dynamic assets, which is handled more robustly by the underlying Rack middleware than manual route definitions.

require 'sinatra/base'
class SecureApp < Sinatra::Base
1. Use built-in static file serving for standard assets
set :public_folder, File.dirname(FILE) + ‘/public’
set :static, true
get ‘/download/:file’ do
# 2. Sanitize filename using File.basename to prevent directory traversal
filename = File.basename(params[:file])
directory = File.expand_path(’./public/uploads’)
file_path = File.join(directory, filename)
# 3. Verify the file exists and is within the intended directory
halt 404 unless File.file?(file_path) && file_path.start_with?(directory)

send_file file_path
end
end