Get ../../blah keys to render

I only ever wanted to use rack protection authenticity token and thought that is what I was doing. I now realize they include several by default unless you explicitly turn them off. Instead i'm just going to include what i want which is auth token stuff.

lib/flipper/ui.rb

@@ -20,12 +20,17 @@ def self.root
 
     def self.app(flipper = nil, options = {})
       env_key = options.fetch(:env_key, 'flipper')
-      rack_protection_options = options.fetch(:rack_protection, use: :authenticity_token)
+
+      if options.key?(:rack_protection)
+        warn "[DEPRECATION] `rack_protection` option is deprecated. " +
+          "Flipper::UI now only includes Rack::Protection::AuthenticityToken middleware. " +
+          "If you need additional protection, you can add it yourself."
+      end
 
       app = ->(_) { [200, { Rack::CONTENT_TYPE => 'text/html' }, ['']] }
       builder = Rack::Builder.new
       yield builder if block_given?
-      builder.use Rack::Protection, rack_protection_options
+      builder.use Rack::Protection::AuthenticityToken
       builder.use Rack::MethodOverride
       builder.use Flipper::Middleware::SetupEnv, flipper, env_key: env_key
       builder.use Flipper::UI::Middleware, flipper: flipper, env_key: env_key

spec/flipper/ui/actions/feature_spec.rb

@@ -197,4 +197,18 @@
       expect(last_response.body).to include('a/b')
     end
   end
+
+  describe 'GET /features/:feature with dot dot slash repeated in feature name' do
+    before do
+      get '/features/..%2F..%2F..%2F..%2Fblah'
+    end
+
+    it 'responds with success' do
+      expect(last_response.status).to be(200)
+    end
+
+    it 'renders template' do
+      expect(last_response.body).to include('../../../../blah')
+    end
+  end
 end