mirrors
/
rails
mirror of https://github.com/rails/rails
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Rescue Rack::QueryParser::ParamsTooDeepError in HTTP request. 

- render HTTP 400
- needs Rack 2.2.4+
This commit is contained in:
Josef Šimánek 2022-09-11 01:40:28 +02:00
parent e4990eec1c
commit b0fdca4fbc
4 changed files with 24 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Gemfile.lock
View File

@ -39,7 +39,7 @@ PATH
actionpack (7.1.0.alpha) actionpack (7.1.0.alpha)
actionview (= 7.1.0.alpha) actionview (= 7.1.0.alpha)
activesupport (= 7.1.0.alpha) activesupport (= 7.1.0.alpha)
rack (~> 2.0, >= 2.2.0) rack (~> 2.0, >= 2.2.4)
rack-test (>= 0.6.3) rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0) rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0)
@ -380,7 +380,7 @@ GEM
pg (>= 1.1, < 2.0) pg (>= 1.1, < 2.0)
raabro (1.4.0) raabro (1.4.0)
racc (1.6.0) racc (1.6.0)
rack (2.2.3) rack (2.2.4)
rack-cache (1.13.0) rack-cache (1.13.0)
rack (>= 0.4) rack (>= 0.4)
rack-protection (2.1.0) rack-protection (2.1.0)

2
actionpack/actionpack.gemspec
View File

@ -35,7 +35,7 @@ Gem::Specification.new do |s|
s.add_dependency "activesupport", version s.add_dependency "activesupport", version
s.add_dependency "rack", "~> 2.0", ">= 2.2.0" s.add_dependency "rack", "~> 2.0", ">= 2.2.4"
s.add_dependency "rack-test", ">= 0.6.3" s.add_dependency "rack-test", ">= 0.6.3"
s.add_dependency "rails-html-sanitizer", "~> 1.0", ">= 1.2.0" s.add_dependency "rails-html-sanitizer", "~> 1.0", ">= 1.2.0"
s.add_dependency "rails-dom-testing", "~> 2.0" s.add_dependency "rails-dom-testing", "~> 2.0"

4
actionpack/lib/action_dispatch/http/request.rb
View File

@ -391,7 +391,7 @@ module ActionDispatch
Request::Utils.check_param_encoding(rack_query_params) Request::Utils.check_param_encoding(rack_query_params)
set_header k, Request::Utils.normalize_encode_params(rack_query_params) set_header k, Request::Utils.normalize_encode_params(rack_query_params)
end end
rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError, Rack::QueryParser::ParamsTooDeepError => e
raise ActionController::BadRequest.new("Invalid query parameters: #{e.message}") raise ActionController::BadRequest.new("Invalid query parameters: #{e.message}")
end end
alias :query_parameters :GET alias :query_parameters :GET
@ -406,7 +406,7 @@ module ActionDispatch
Request::Utils.check_param_encoding(pr) Request::Utils.check_param_encoding(pr)
self.request_parameters = Request::Utils.normalize_encode_params(pr) self.request_parameters = Request::Utils.normalize_encode_params(pr)
end end
rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError, EOFError => e rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError, Rack::QueryParser::ParamsTooDeepError, EOFError => e
raise ActionController::BadRequest.new("Invalid request parameters: #{e.message}") raise ActionController::BadRequest.new("Invalid request parameters: #{e.message}")
end end
alias :request_parameters :POST alias :request_parameters :POST

19
railties/test/application/middleware/exceptions_test.rb
View File

@ -201,6 +201,25 @@ module ApplicationTests
assert_match "Invalid query parameters", last_response.body assert_match "Invalid query parameters", last_response.body
end end
test "displays diagnostics message when too deep query parameters are provided" do
controller :foo, <<-RUBY
class FooController < ActionController::Base
def index
end
end
RUBY
app.config.action_dispatch.show_exceptions = true
app.config.consider_all_requests_local = true
limit = Rack::Utils.param_depth_limit + 1
malicious_url = "/foo?#{'[test]' * limit}=test"
get malicious_url
assert_equal 400, last_response.status
assert_match "Invalid query parameters", last_response.body
end
test "displays statement invalid template correctly" do test "displays statement invalid template correctly" do
controller :foo, <<-RUBY controller :foo, <<-RUBY
class FooController < ActionController::Base class FooController < ActionController::Base