Rescue Rack::QueryParser::ParamsTooDeepError in HTTP request.

- render HTTP 400 - needs Rack 2.2.4+
2022-09-11 01:40:28 +02:00 · 2022-09-11 01:40:28 +02:00 · b0fdca4fbc
parent e4990eec1c
commit b0fdca4fbc
4 changed files with 24 additions and 5 deletions
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -39,7 +39,7 @@ PATH
    actionpack (7.1.0.alpha)
      actionview (= 7.1.0.alpha)
      activesupport (= 7.1.0.alpha)
-      rack (~> 2.0, >= 2.2.0)
+      rack (~> 2.0, >= 2.2.4)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
@ -380,7 +380,7 @@ GEM
      pg (>= 1.1, < 2.0)
    raabro (1.4.0)
    racc (1.6.0)
-    rack (2.2.3)
+    rack (2.2.4)
    rack-cache (1.13.0)
      rack (>= 0.4)
    rack-protection (2.1.0)
--- a/actionpack/actionpack.gemspec
+++ b/actionpack/actionpack.gemspec
@ -35,7 +35,7 @@ Gem::Specification.new do |s|

  s.add_dependency "activesupport", version

-  s.add_dependency "rack",      "~> 2.0", ">= 2.2.0"
+  s.add_dependency "rack",      "~> 2.0", ">= 2.2.4"
  s.add_dependency "rack-test", ">= 0.6.3"
  s.add_dependency "rails-html-sanitizer", "~> 1.0", ">= 1.2.0"
  s.add_dependency "rails-dom-testing", "~> 2.0"
--- a/actionpack/lib/action_dispatch/http/request.rb
+++ b/actionpack/lib/action_dispatch/http/request.rb
@ -391,7 +391,7 @@ module ActionDispatch
        Request::Utils.check_param_encoding(rack_query_params)
        set_header k, Request::Utils.normalize_encode_params(rack_query_params)
      end
-    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
+    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError, Rack::QueryParser::ParamsTooDeepError => e
      raise ActionController::BadRequest.new("Invalid query parameters: #{e.message}")
    end
    alias :query_parameters :GET
@ -406,7 +406,7 @@ module ActionDispatch
        Request::Utils.check_param_encoding(pr)
        self.request_parameters = Request::Utils.normalize_encode_params(pr)
      end
-    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError, EOFError => e
+    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError, Rack::QueryParser::ParamsTooDeepError, EOFError => e
      raise ActionController::BadRequest.new("Invalid request parameters: #{e.message}")
    end
    alias :request_parameters :POST
--- a/railties/test/application/middleware/exceptions_test.rb
+++ b/railties/test/application/middleware/exceptions_test.rb
@ -201,6 +201,25 @@ module ApplicationTests
      assert_match "Invalid query parameters", last_response.body
    end

+    test "displays diagnostics message when too deep query parameters are provided" do
+      controller :foo, <<-RUBY
+        class FooController < ActionController::Base
+          def index
+          end
+        end
+      RUBY
+
+      app.config.action_dispatch.show_exceptions = true
+      app.config.consider_all_requests_local = true
+
+      limit = Rack::Utils.param_depth_limit + 1
+      malicious_url = "/foo?#{'[test]' * limit}=test"
+
+      get malicious_url
+      assert_equal 400, last_response.status
+      assert_match "Invalid query parameters", last_response.body
+    end
+
    test "displays statement invalid template correctly" do
      controller :foo, <<-RUBY
        class FooController < ActionController::Base