Regression test for rendering file from absolute path

Test that we are not allowing you to grab a file with an absolute path
outside of your application directory. This is dangerous because it
could be used to retrieve files from the server like `/etc/passwd`.

Author: eileencodes

actionpack/test/controller/render_test.rb

@@ -278,6 +278,17 @@ def test_dynamic_render_with_file
       response.body
   end
 
+  def test_dynamic_render_with_absolute_path
+    file = Tempfile.new
+    file.write "secrets!"
+    file.flush
+    assert_raises ActionView::MissingTemplate do
+      response = get :dynamic_render, { id: file.path }
+    end
+  ensure
+    file.unlink
+  end
+
   def test_dynamic_render
     assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))
     assert_raises ActionView::MissingTemplate do