Do not respond to http requests asking for a file://

Based on CVE-2018-3760 when the Sprockets server is accidentally being used in production, an attacker can pass in a specifically crafted url that will allow them access to view every file on the system. If the file hit contains a compilable extension such as `.erb` then the code in that file will be executed.

A Rails app will be using the Sprockets file server in production if they have accidentally configured their app to:

```ruby
config.assets.compile = true # Your app is vulnerable
```

It is highly recommended to not use the Sprockets server in production and to instead precompile assets to disk and serve them through a server such as Nginx or via the static file middleware that ships with rails `config.public_file_server.enabled = true`.

This patch mitigates the issue, but explicitly disallowing any requests to any URI resources via the server.

Author: schneems

lib/sprockets/server.rb

@@ -90,7 +90,7 @@ def forbidden_request?(path)
         #
         #     http://example.org/assets/../../../etc/passwd
         #
-        path.include?("..") || Pathname.new(path).absolute?
+        path.include?("..") || Pathname.new(path).absolute? || path.include?("://")
       end
 
       # Returns a 403 Forbidden response tuple

test/test_server.rb

@@ -230,6 +230,13 @@ def app
     assert_equal 403, last_response.status
   end
 
+  test "illegal access of a file asset" do
+    absolute_path = fixture_path("server/app/javascripts")
+
+    get "assets/file:%2f%2f//#{absolute_path}/foo.js"
+    assert_equal 403, last_response.status
+  end
+
   test "add new source to tree" do
     filename = fixture_path("server/app/javascripts/baz.js")