DEV: Handle bad parameters in TopicsController#wordpress (#23404)

We're seeing a large number of log noise from this endpoint due to malicious scanners that are trying to send clever params and seeing if they can break something.

This change simply rescues any NoMethodError during parameter parsing and re-raises a Discourse::InvalidParameters exception, which will be caught and render a 400.
This commit is contained in:
Ted Johansson 2023-09-05 16:35:46 +08:00 committed by GitHub
parent cf8c3cf3f0
commit 752a2cc654
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 11 deletions

View File

@ -53,8 +53,8 @@ class TopicsController < ApplicationController
def show def show
flash["referer"] ||= request.referer[0..255] if request.referer flash["referer"] ||= request.referer[0..255] if request.referer
# We'd like to migrate the wordpress feed to another url. This keeps up backwards compatibility with # TODO: We'd like to migrate the wordpress feed to another url. This keeps up backwards
# existing installs. # compatibility with existing installs.
return wordpress if params[:best].present? return wordpress if params[:best].present?
# work around people somehow sending in arrays, # work around people somehow sending in arrays,
@ -212,6 +212,7 @@ class TopicsController < ApplicationController
:only_moderator_liked, :only_moderator_liked,
) )
begin
opts = { opts = {
best: params[:best].to_i, best: params[:best].to_i,
min_trust_level: params[:min_trust_level] ? params[:min_trust_level].to_i : 1, min_trust_level: params[:min_trust_level] ? params[:min_trust_level].to_i : 1,
@ -221,6 +222,9 @@ class TopicsController < ApplicationController
only_moderator_liked: params[:only_moderator_liked].to_s == "true", only_moderator_liked: params[:only_moderator_liked].to_s == "true",
exclude_hidden: true, exclude_hidden: true,
} }
rescue NoMethodError
raise Discourse::InvalidParameters
end
@topic_view = TopicView.new(params[:topic_id], current_user, opts) @topic_view = TopicView.new(params[:topic_id], current_user, opts)
discourse_expires_in 1.minute discourse_expires_in 1.minute

View File

@ -78,6 +78,12 @@ RSpec.describe TopicsController do
"#{Discourse.base_url_no_prefix}#{moderator.avatar_template}", "#{Discourse.base_url_no_prefix}#{moderator.avatar_template}",
) )
end end
it "does not error out when using invalid parameters" do
get "/t/#{p1.topic.id}/wordpress.json", params: { topic_id: 1, best: { leet: "haxx0r" } }
expect(response.status).to eq(400)
end
end end
describe "#move_posts" do describe "#move_posts" do