DEV: Handle bad parameters in TopicsController#wordpress (#23404)
We're seeing a large number of log noise from this endpoint due to malicious scanners that are trying to send clever params and seeing if they can break something. This change simply rescues any NoMethodError during parameter parsing and re-raises a Discourse::InvalidParameters exception, which will be caught and render a 400.
This commit is contained in:
parent
cf8c3cf3f0
commit
752a2cc654
|
@ -53,8 +53,8 @@ class TopicsController < ApplicationController
|
|||
def show
|
||||
flash["referer"] ||= request.referer[0..255] if request.referer
|
||||
|
||||
# We'd like to migrate the wordpress feed to another url. This keeps up backwards compatibility with
|
||||
# existing installs.
|
||||
# TODO: We'd like to migrate the wordpress feed to another url. This keeps up backwards
|
||||
# compatibility with existing installs.
|
||||
return wordpress if params[:best].present?
|
||||
|
||||
# work around people somehow sending in arrays,
|
||||
|
@ -212,6 +212,7 @@ class TopicsController < ApplicationController
|
|||
:only_moderator_liked,
|
||||
)
|
||||
|
||||
begin
|
||||
opts = {
|
||||
best: params[:best].to_i,
|
||||
min_trust_level: params[:min_trust_level] ? params[:min_trust_level].to_i : 1,
|
||||
|
@ -221,6 +222,9 @@ class TopicsController < ApplicationController
|
|||
only_moderator_liked: params[:only_moderator_liked].to_s == "true",
|
||||
exclude_hidden: true,
|
||||
}
|
||||
rescue NoMethodError
|
||||
raise Discourse::InvalidParameters
|
||||
end
|
||||
|
||||
@topic_view = TopicView.new(params[:topic_id], current_user, opts)
|
||||
discourse_expires_in 1.minute
|
||||
|
|
|
@ -78,6 +78,12 @@ RSpec.describe TopicsController do
|
|||
"#{Discourse.base_url_no_prefix}#{moderator.avatar_template}",
|
||||
)
|
||||
end
|
||||
|
||||
it "does not error out when using invalid parameters" do
|
||||
get "/t/#{p1.topic.id}/wordpress.json", params: { topic_id: 1, best: { leet: "haxx0r" } }
|
||||
|
||||
expect(response.status).to eq(400)
|
||||
end
|
||||
end
|
||||
|
||||
describe "#move_posts" do
|
||||
|
|
Loading…
Reference in New Issue