Handle bad URIs when filtering redirects

rails/rails#51131 introduced parameter filtering for redirects. We didn't account for invalid URIs though, and it changes the behaviour of redirect_to to raise URI errors when we try to filter a bad URI. Instead, we should fallback to filtering bad URIs entirely to preserve behaviour.
2024-02-23 00:11:15 -06:00 · 2024-02-23 00:11:15 -06:00 · 61b0a68940
parent 3c6adf2994
commit 61b0a68940
2 changed files with 16 additions and 0 deletions
--- a/actionpack/lib/action_dispatch/http/filter_redirect.rb
+++ b/actionpack/lib/action_dispatch/http/filter_redirect.rb
@ -42,6 +42,8 @@ module ActionDispatch
          end
        end
        uri.to_s
+      rescue URI::Error
+        FILTERED
      end
    end
  end
--- a/actionpack/test/controller/log_subscriber_test.rb
+++ b/actionpack/test/controller/log_subscriber_test.rb
@ -36,6 +36,10 @@ module Another
      redirect_to "http://secret.foo.bar?username=repinel&password=1234"
    end

+    def filterable_redirector_bad_uri
+      redirect_to " s:/invalid-string0uri"
+    end
+
    def data_sender
      send_data "cool data", filename: "file.txt"
    end
@ -296,6 +300,16 @@ class ACLogSubscriberTest < ActionController::TestCase
    assert_equal "Redirected to http://secret.foo.bar?username=repinel&password=[FILTERED]", logs[1]
  end

+  def test_filter_redirect_bad_uri
+    @request.env["action_dispatch.parameter_filter"] = [/pass.+/]
+
+    get :filterable_redirector_bad_uri
+    wait
+
+    assert_equal 3, logs.size
+    assert_equal "Redirected to [FILTERED]", logs[1]
+  end
+
  def test_send_data
    get :data_sender
    wait