FIX: Don't throw 500 for invalid website url input

It's possible to cause a 500 error by putting in weird characters in the input field for updating a users website on their profile. Normal invalid input like not including the domain extension is already handled by the user_profile model validation. This fix ensures a server error doesn't occur for weird input characters.
2020-04-22 13:50:45 -06:00 · 2020-04-22 13:50:45 -06:00 · 9cbbaf4237
parent 8adccaf98c
commit 9cbbaf4237
2 changed files with 29 additions and 15 deletions
--- a/app/services/user_updater.rb
+++ b/app/services/user_updater.rb
@ -149,6 +149,7 @@ class UserUpdater

    saved = nil

+    begin
      User.transaction do
        if attributes.key?(:muted_usernames)
          update_muted_users(attributes[:muted_usernames])
@ -169,6 +170,10 @@ class UserUpdater
          )
        end
      end
+    rescue Addressable::URI::InvalidURIError => e
+      # Prevent 500 for crazy url input
+      return saved
+    end

    DiscourseEvent.trigger(:user_updated, user) if saved
    saved
--- a/spec/services/user_updater_spec.rb
+++ b/spec/services/user_updater_spec.rb
@ -416,6 +416,15 @@ describe UserUpdater do
      end
    end

+    context 'when website is invalid' do
+      it 'returns an error' do
+        user = Fabricate(:user)
+        updater = UserUpdater.new(acting_user, user)
+
+        expect(updater.update(website: 'ʔ<')).to eq nil
+      end
+    end
+
    context 'when custom_fields is empty string' do
      it "update is successful" do
        user = Fabricate(:user)