discourse/lib/middleware/discourse_public_exceptions.rb

# frozen_string_literal: true

# since all the rescue from clauses are not caught by the application controller for matches
# we need to handle certain exceptions here
module Middleware
  class DiscoursePublicExceptions < ::ActionDispatch::PublicExceptions
    INVALID_REQUEST_ERRORS =
      Set.new(
        [
          Rack::QueryParser::InvalidParameterError,
          ActionController::BadRequest,
          ActionDispatch::Http::Parameters::ParseError,
        ],
      )

    def initialize(path)
      super
    end

    def call(env)
      # this is so so gnarly
      # sometimes we leak out exceptions prior to creating a controller instance
      # this can happen if we have an exception in a route constraint in some cases
      # this code re-dispatches the exception to our application controller so we can
      # properly translate the exception to a page
      exception = env["action_dispatch.exception"]
      response = ActionDispatch::Response.new

      exception = nil if INVALID_REQUEST_ERRORS.include?(exception)

      if exception
        begin
          fake_controller = ApplicationController.new
          fake_controller.response = response
          fake_controller.request = request = ActionDispatch::Request.new(env)

          # We can not re-dispatch bad mime types
          begin
            request.format
          rescue Mime::Type::InvalidMimeType
            return [
              400,
              { "Cache-Control" => "private, max-age=0, must-revalidate" },
              ["Invalid MIME type"]
            ]
          end

          # Or badly formatted multipart requests
          begin
            request.POST
          rescue EOFError
            return [
              400,
              { "Cache-Control" => "private, max-age=0, must-revalidate" },
              ["Invalid request"]
            ]
          end

          if ApplicationController.rescue_with_handler(exception, object: fake_controller)
            body = response.body
            body = [body] if String === body
            return response.status, response.headers, body
          end
        rescue => e
          return super if INVALID_REQUEST_ERRORS.include?(e.class)
          Discourse.warn_exception(
            e,
            message: "Failed to handle exception in exception app middleware",
          )
        end
      end
      super
    end
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

FIX: return 429 when admin api key is limited on admin route This also handles a general case where exceptions leak out prior to being handled by the application controller 2018-01-11 22:15:10 -05:00			`# since all the rescue from clauses are not caught by the application controller for matches`
			`# we need to handle certain exceptions here`
			`module Middleware`
			`class DiscoursePublicExceptions < ::ActionDispatch::PublicExceptions`
DEV: Improve handling of invalid requests (#15841) Our discourse_public_exceptions middleware is designed to catch bubbled exceptions from lower in the stack, and then use `ApplicationController.rescue_with_handler` to render an appropriate error response. When the request itself is invalid, we had an escape-hatch to skip re-dispatching the request to ApplicationController. However, it was possible to work around this by 'layering' the errors. For example, if you made a request which resulted in a 404, but also had some other invalidity, the escape hatch would not be triggered. This commit ensures that these kind of 'layered' errors are properly handled, without logging warnings. It also adds detection for invalid JSON bodies and badly-formed multipart requests. The user-facing behavior is unchanged. This commit simply prevents warnings being logged for invalid requests. 2022-02-07 08:16:57 -05:00			`INVALID_REQUEST_ERRORS =`
			`Set.new(`
			`[`
			`Rack::QueryParser::InvalidParameterError,`
			`ActionController::BadRequest,`
			`ActionDispatch::Http::Parameters::ParseError,`
			`],`
			`)`
FIX: return 429 when admin api key is limited on admin route This also handles a general case where exceptions leak out prior to being handled by the application controller 2018-01-11 22:15:10 -05:00
			`def initialize(path)`
			`super`
			`end`

			`def call(env)`
			`# this is so so gnarly`
			`# sometimes we leak out exceptions prior to creating a controller instance`
			`# this can happen if we have an exception in a route constraint in some cases`
			`# this code re-dispatches the exception to our application controller so we can`
			`# properly translate the exception to a page`
			`exception = env["action_dispatch.exception"]`
			`response = ActionDispatch::Response.new`

DEV: Improve handling of invalid requests (#15841) Our discourse_public_exceptions middleware is designed to catch bubbled exceptions from lower in the stack, and then use `ApplicationController.rescue_with_handler` to render an appropriate error response. When the request itself is invalid, we had an escape-hatch to skip re-dispatching the request to ApplicationController. However, it was possible to work around this by 'layering' the errors. For example, if you made a request which resulted in a 404, but also had some other invalidity, the escape hatch would not be triggered. This commit ensures that these kind of 'layered' errors are properly handled, without logging warnings. It also adds detection for invalid JSON bodies and badly-formed multipart requests. The user-facing behavior is unchanged. This commit simply prevents warnings being logged for invalid requests. 2022-02-07 08:16:57 -05:00			`exception = nil if INVALID_REQUEST_ERRORS.include?(exception)`
DEV: correct intermittent test failure ActionController::BadRequest can not be re-dispatched, under some conditions we are getting this vs InvalidParameterError in the following test https://github.com/discourse/discourse/blob/59c56bd20f4adc00732d712c6ec81a9239bc24ae/spec/requests/application_controller_spec.rb#L34-L62 2018-12-13 02:27:02 -05:00
FIX: return 429 when admin api key is limited on admin route This also handles a general case where exceptions leak out prior to being handled by the application controller 2018-01-11 22:15:10 -05:00			`if exception`
FIX: regression, missing 404 page 2018-01-22 17:00:08 -05:00			`begin`
			`fake_controller = ApplicationController.new`
			`fake_controller.response = response`
FIX: do not log if an invalid mime type is passed to app Previously our custom exception handler was unable to handle situations where an invalid mime type was sent, resulting in a warning log This ensures we pretend a request is HTML for the purpose of rendering the error page if an invalid mime type from a scanner is shipped to the app 2019-11-20 23:51:18 -05:00			`fake_controller.request = request = ActionDispatch::Request.new(env)`

FIX: avoid superflous logging when mime type is bad Many security scanners ship invalid mime types, this ensures we return a very cheap response to the clients and do not log anything. Previous attempt still re-dispatched the request to get proper error page but in this specific case we want no error page. 2020-01-01 20:34:38 -05:00			`# We can not re-dispatch bad mime types`
FIX: do not log if an invalid mime type is passed to app Previously our custom exception handler was unable to handle situations where an invalid mime type was sent, resulting in a warning log This ensures we pretend a request is HTML for the purpose of rendering the error page if an invalid mime type from a scanner is shipped to the app 2019-11-20 23:51:18 -05:00			`begin`
			`request.format`
			`rescue Mime::Type::InvalidMimeType`
SECURITY: Disallow caching of MIME/Content-Type errors (#14907) This will sign intermediary proxies and/or misconfigured CDNs to not cache those error responses. 2021-11-12 13:52:25 -05:00			`return [`
			`400,`
			`{ "Cache-Control" => "private, max-age=0, must-revalidate" },`
			`["Invalid MIME type"]`
DEV: Apply syntax_tree formatting to `lib/*` 2023-01-09 07:10:19 -05:00			`]`
FIX: do not log if an invalid mime type is passed to app Previously our custom exception handler was unable to handle situations where an invalid mime type was sent, resulting in a warning log This ensures we pretend a request is HTML for the purpose of rendering the error page if an invalid mime type from a scanner is shipped to the app 2019-11-20 23:51:18 -05:00			`end`
FIX: return 429 when admin api key is limited on admin route This also handles a general case where exceptions leak out prior to being handled by the application controller 2018-01-11 22:15:10 -05:00
DEV: Improve handling of invalid requests (#15841) Our discourse_public_exceptions middleware is designed to catch bubbled exceptions from lower in the stack, and then use `ApplicationController.rescue_with_handler` to render an appropriate error response. When the request itself is invalid, we had an escape-hatch to skip re-dispatching the request to ApplicationController. However, it was possible to work around this by 'layering' the errors. For example, if you made a request which resulted in a 404, but also had some other invalidity, the escape hatch would not be triggered. This commit ensures that these kind of 'layered' errors are properly handled, without logging warnings. It also adds detection for invalid JSON bodies and badly-formed multipart requests. The user-facing behavior is unchanged. This commit simply prevents warnings being logged for invalid requests. 2022-02-07 08:16:57 -05:00			`# Or badly formatted multipart requests`
			`begin`
			`request.POST`
			`rescue EOFError`
			`return [`
			`400,`
			`{ "Cache-Control" => "private, max-age=0, must-revalidate" },`
			`["Invalid request"]`
DEV: Apply syntax_tree formatting to `lib/*` 2023-01-09 07:10:19 -05:00			`]`
DEV: Improve handling of invalid requests (#15841) Our discourse_public_exceptions middleware is designed to catch bubbled exceptions from lower in the stack, and then use `ApplicationController.rescue_with_handler` to render an appropriate error response. When the request itself is invalid, we had an escape-hatch to skip re-dispatching the request to ApplicationController. However, it was possible to work around this by 'layering' the errors. For example, if you made a request which resulted in a 404, but also had some other invalidity, the escape hatch would not be triggered. This commit ensures that these kind of 'layered' errors are properly handled, without logging warnings. It also adds detection for invalid JSON bodies and badly-formed multipart requests. The user-facing behavior is unchanged. This commit simply prevents warnings being logged for invalid requests. 2022-02-07 08:16:57 -05:00			`end`

FIX: regression, missing 404 page 2018-01-22 17:00:08 -05:00			`if ApplicationController.rescue_with_handler(exception, object: fake_controller)`
			`body = response.body`
			`body = [body] if String === body`
			`return response.status, response.headers, body`
			`end`
			`rescue => e`
DEV: Improve handling of invalid requests (#15841) Our discourse_public_exceptions middleware is designed to catch bubbled exceptions from lower in the stack, and then use `ApplicationController.rescue_with_handler` to render an appropriate error response. When the request itself is invalid, we had an escape-hatch to skip re-dispatching the request to ApplicationController. However, it was possible to work around this by 'layering' the errors. For example, if you made a request which resulted in a 404, but also had some other invalidity, the escape hatch would not be triggered. This commit ensures that these kind of 'layered' errors are properly handled, without logging warnings. It also adds detection for invalid JSON bodies and badly-formed multipart requests. The user-facing behavior is unchanged. This commit simply prevents warnings being logged for invalid requests. 2022-02-07 08:16:57 -05:00			`return super if INVALID_REQUEST_ERRORS.include?(e.class)`
FIX: regression, missing 404 page 2018-01-22 17:00:08 -05:00			`Discourse.warn_exception(`
			`e,`
			`message: "Failed to handle exception in exception app middleware",`
			`)`
FIX: return 429 when admin api key is limited on admin route This also handles a general case where exceptions leak out prior to being handled by the application controller 2018-01-11 22:15:10 -05:00			`end`
			`end`
			`super`
			`end`
			`end`
			`end`