kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

Use static message when raising HTTP request parameter parse errors

Browse source 
When parsing HTTP request parameters, Rails delegates to a set of parsing
strategies based on the MIME type. If any of these strategies raises an
error Rails rescues it and raises an instance of
`ActionDispatch::Http::Parameters::ParseError` with the same message as
the underlying error.

However, in the presence of malformed JSON, the default parameter parser
for the `application/json` MIME type raises a `JSON:ParserError` with a
message containing the entire malformed JSON string (the request body in
this context). By raising a new error with this same message Rails
inadvertently ends up logging the full HTTP request body at the `fatal`
level. This request body could contain sensitive information or could be
intentionally crafted to be extremely large.

This commit sets the `ActionDispatch::Http::Parameters::ParseError` message
to a static message which mirrors that of the corresponding `debug` log.
This commit is contained in:
Aaron Lahey 2021-08-28 11:41:08 -05:00
parent 6bd3925244
commit 82fc62ca71
No known key found for this signature in database
GPG key ID: 3B4490D2CA5CC2D3
3 changed files with 12 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
actionpack/CHANGELOG.md
View file

@ -1,3 +1,11 @@
* Use a static error message when raising `ActionDispatch::Http::Parameters::ParseError`
to avoid inadvertently logging the HTTP request body at the `fatal` level when it contains
malformed JSON.
Fixes #41145
*Aaron Lahey*
* Add `Middleware#delete!` to delete middleware or raise if not found. * Add `Middleware#delete!` to delete middleware or raise if not found.
`Middleware#delete!` works just like `Middleware#delete` but will `Middleware#delete!` works just like `Middleware#delete` but will

6
actionpack/lib/action_dispatch/http/parameters.rb
View file

@ -17,8 +17,8 @@ module ActionDispatch
# Raised when raw data from the request cannot be parsed by the parser # Raised when raw data from the request cannot be parsed by the parser
# defined for request's content MIME type. # defined for request's content MIME type.
class ParseError < StandardError class ParseError < StandardError
def initialize def initialize(message = $!.message)
super($!.message) super(message)
end end
end end
@ -93,7 +93,7 @@ module ActionDispatch
strategy.call(raw_post) strategy.call(raw_post)
rescue # JSON or Ruby code block errors. rescue # JSON or Ruby code block errors.
log_parse_error_once log_parse_error_once
raise ParseError raise ParseError, "Error occurred while parsing request parameters"
end end
end end

2
actionpack/test/dispatch/request/json_params_parsing_test.rb
View file

@ -80,7 +80,7 @@ class JsonParamsParsingTest < ActionDispatch::IntegrationTest
post "/parse", params: json, headers: { "CONTENT_TYPE" => "application/json", "action_dispatch.show_exceptions" => false } post "/parse", params: json, headers: { "CONTENT_TYPE" => "application/json", "action_dispatch.show_exceptions" => false }
end end
assert_equal JSON::ParserError, exception.cause.class assert_equal JSON::ParserError, exception.cause.class
assert_equal exception.cause.message, exception.message assert_equal "Error occurred while parsing request parameters", exception.message
ensure ensure
$stderr = STDERR $stderr = STDERR
end end