FIX: return a 400 error instead of 500 for null injections

Many security scanners like to inject NULL in inputs causing application
to exception out and return a 500

We now handle this exception and render a 400 status back
This commit is contained in:
Sam 2018-09-04 12:11:42 +10:00
parent 0a14e0a256
commit 2f5c21e28c
2 changed files with 18 additions and 0 deletions

View File

@ -156,6 +156,14 @@ class ApplicationController < ActionController::Base
end end
end end
rescue_from ArgumentError do |e|
if e.message == "string contains null byte"
raise Discourse::InvalidParameters, e.message
else
raise e
end
end
rescue_from Discourse::InvalidParameters do |e| rescue_from Discourse::InvalidParameters do |e|
message = I18n.t('invalid_params', message: e.message) message = I18n.t('invalid_params', message: e.message)
if (request.format && request.format.json?) || request.xhr? || !request.get? if (request.format && request.format.json?) || request.xhr? || !request.get?

View File

@ -16,6 +16,16 @@ describe SearchController do
$redis.flushall $redis.flushall
end end
it "returns a 400 error if you search for null bytes" do
term = "hello\0hello"
get "/search/query.json", params: {
term: term, include_blurb: true
}
expect(response.status).to eq(400)
end
it "can search correctly" do it "can search correctly" do
my_post = Fabricate(:post, raw: 'this is my really awesome post') my_post = Fabricate(:post, raw: 'this is my really awesome post')