FIX: return a 400 error instead of 500 for null injections

Many security scanners like to inject NULL in inputs causing application to exception out and return a 500 We now handle this exception and render a 400 status back
2024-11-22 12:12:26 +08:00 · 2018-09-04 12:11:42 +10:00 · 2018-09-04 12:11:42 +10:00 · 2f5c21e28c
commit 2f5c21e28c
parent 0a14e0a256
2 changed files with 18 additions and 0 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -156,6 +156,14 @@ class ApplicationController < ActionController::Base
    end
  end

+  rescue_from ArgumentError do |e|
+    if e.message == "string contains null byte"
+      raise Discourse::InvalidParameters, e.message
+    else
+      raise e
+    end
+  end
+
  rescue_from Discourse::InvalidParameters do |e|
    message = I18n.t('invalid_params', message: e.message)
    if (request.format && request.format.json?) || request.xhr? || !request.get?
--- a/spec/requests/search_controller_spec.rb
+++ b/spec/requests/search_controller_spec.rb
@ -16,6 +16,16 @@ describe SearchController do
      $redis.flushall
    end

+    it "returns a 400 error if you search for null bytes" do
+      term = "hello\0hello"
+
+      get "/search/query.json", params: {
+        term: term, include_blurb: true
+      }
+
+      expect(response.status).to eq(400)
+    end
+
    it "can search correctly" do
      my_post = Fabricate(:post, raw: 'this is my really awesome post')