add a honeypot field to the error submission form

fixes CNVS-29616 test plan - navigate to an error page that has the "Click here to tell us what you were looking for" form. the 404 page you get when you set an id in the url to something that doesn't exist works great. - submit the error form - ensure the error form was submitted - use the "Inspect Element" feature of your browser to find the hidden input field with the id "error_username" - set the value of the hidden input field to anything - submit the error form - ensure that form does not submit and an error is thrown instead Change-Id: I3c19682fff1414c595bacb1d2d5746fb5d41cb11 Reviewed-on: https://gerrit.instructure.com/80724 Reviewed-by: Jeremy Stanley <jeremy@instructure.com> Tested-by: Jenkins QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com> Product-Review: Joel Hough <joel@instructure.com>
2016-05-26 02:01:55 -06:00 · 2016-05-26 02:01:55 -06:00 · 7a058b75b8
parent f63aae4881
commit 7a058b75b8
3 changed files with 8 additions and 5 deletions
--- a/app/coffeescripts/bundles/legacy/error_form.coffee
+++ b/app/coffeescripts/bundles/legacy/error_form.coffee
@ -7,6 +7,7 @@ require [
  "compiled/jquery.rails_flash_notifications"
 ], (I18n, $, htmlEscape) ->
  $(document).ready ->
+    $("#error_username").hide()
    requiredFields = []
    if window.ENV.current_user.display_name == undefined
      requiredFields = ['error[email]']
--- a/app/controllers/errors_controller.rb
+++ b/app/controllers/errors_controller.rb
@ -135,6 +135,10 @@ class ErrorsController < ApplicationController

    reporter = @current_user.try(:fake_student?) ? @real_current_user : @current_user
    error = params[:error] || {}
+
+    # this is a honeypot field to catch spambots. it's hidden via css and should always be empty.
+    return render(nothing: true, status: 400) if error.delete(:username).present?
+
    error[:user_agent] = request.headers['User-Agent']
    begin
      report_id = error.delete(:id)
--- a/app/views/shared/errors/_error_form.html.erb
+++ b/app/views/shared/errors/_error_form.html.erb
@ -1,12 +1,10 @@
-<%
-  visible ||= false
-  error_category ||= '404'
- %>
-<form id="submit_error_form" style="<%= hidden unless visible %>" action="<%= errors_path %>" method="POST">
+<% error_category ||= '404' %>
+<form id="submit_error_form" style="<%= hidden %>" action="<%= errors_path %>" method="POST">
  <%= hidden_field :error, :category, :value => error_category %>
  <%= hidden_field :error, :id, :value => (@error.try(:id)) %>
  <%= hidden_field :error, :url, :value => (request.url rescue "") %>
  <div style="width: 100%; margin: 0px auto;">
+    <%= text_field :error, :username, :value => "" %><%# this is a honeypot field. it's hidden via css, but spambots don't know that. %>
    <%= text_area :error, :comments, :style => "width: 100%; height: 100px; border: 1px solid #888;" %>
    <% if @current_user %>
      <%= before_label('email_optional', %{Email (optional)}) %>