FIX: return a 400 error instead of 500 for null injections
Many security scanners like to inject NULL in inputs causing application to exception out and return a 500 We now handle this exception and render a 400 status back
This commit is contained in:
parent
0a14e0a256
commit
2f5c21e28c
|
@ -156,6 +156,14 @@ class ApplicationController < ActionController::Base
|
|||
end
|
||||
end
|
||||
|
||||
rescue_from ArgumentError do |e|
|
||||
if e.message == "string contains null byte"
|
||||
raise Discourse::InvalidParameters, e.message
|
||||
else
|
||||
raise e
|
||||
end
|
||||
end
|
||||
|
||||
rescue_from Discourse::InvalidParameters do |e|
|
||||
message = I18n.t('invalid_params', message: e.message)
|
||||
if (request.format && request.format.json?) || request.xhr? || !request.get?
|
||||
|
|
|
@ -16,6 +16,16 @@ describe SearchController do
|
|||
$redis.flushall
|
||||
end
|
||||
|
||||
it "returns a 400 error if you search for null bytes" do
|
||||
term = "hello\0hello"
|
||||
|
||||
get "/search/query.json", params: {
|
||||
term: term, include_blurb: true
|
||||
}
|
||||
|
||||
expect(response.status).to eq(400)
|
||||
end
|
||||
|
||||
it "can search correctly" do
|
||||
my_post = Fabricate(:post, raw: 'this is my really awesome post')
|
||||
|
||||
|
|
Loading…
Reference in New Issue