FIX: Better error handling for invalid locale bundle versions

2019-11-11 22:30:31 +01:00 · 2019-11-11 22:30:31 +01:00 · 6ebffaaf6e
parent 34665d3f96
commit 6ebffaaf6e
2 changed files with 17 additions and 4 deletions
--- a/app/controllers/extra_locales_controller.rb
+++ b/app/controllers/extra_locales_controller.rb
@ -9,15 +9,20 @@ class ExtraLocalesController < ApplicationController
    :verify_authenticity_token

  OVERRIDES_BUNDLE ||= 'overrides'
+  MD5_HASH_LENGTH ||= 32

  def show
    bundle = params[:bundle]
-
    raise Discourse::InvalidAccess.new if !valid_bundle?(bundle)

-    if params[:v]&.size == 32
-      hash = ExtraLocalesController.bundle_js_hash(bundle)
-      immutable_for(1.year) if hash == params[:v]
+    version = params[:v]
+    if version.present?
+      if version.kind_of?(String) && version.length == MD5_HASH_LENGTH
+        hash = ExtraLocalesController.bundle_js_hash(bundle)
+        immutable_for(1.year) if hash == version
+      else
+        raise Discourse::InvalidParameters.new(:v)
+      end
    end

    render plain: ExtraLocalesController.bundle_js(bundle), content_type: "application/javascript"
--- a/spec/requests/extra_locales_controller_spec.rb
+++ b/spec/requests/extra_locales_controller_spec.rb
@ -23,6 +23,14 @@ describe ExtraLocalesController do
      expect(response.status).to eq(403)
    end

+    it "requires a valid version" do
+      get "/extra-locales/overrides", params: { v: 'a' }
+      expect(response.status).to eq(400)
+
+      get "/extra-locales/overrides?v[foo]=1"
+      expect(response.status).to eq(400)
+    end
+
    context "logged in as a moderator" do

      let(:moderator) { Fabricate(:moderator) }