From cb23580684e22dca00db3e3414d1a54f21491b47 Mon Sep 17 00:00:00 2001 From: Alex Robbin Date: Wed, 16 Dec 2020 20:48:09 -0500 Subject: [PATCH] change request method to a `GET` when passing failed requests to `config.exceptions_app` Similar to #38998 (fixed in #40246), HTTP method validation occurring whenever methods are called on `ActionDispatch::Request` can cause some weird unintended consequences. For example, if `config.exceptions_app = self.routes`, you get an exception raised via the `ActionDispatch::ShowExceptions` middleware failsafe: ``` Started TEST "/" for 127.0.0.1 at 2020-11-05 15:40:31 -0500 (1.0ms) SELECT "schema_migrations"."version" FROM "schema_migrations" ORDER BY "schema_migrations"."version" ASC TEST, accepted HTTP methods are OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, VERSION-CONTROL, REPORT, CHECKOUT, CHECKIN, UNCHECKOUT, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, ORDERPATCH, ACL, SEARCH, MKCALENDAR, and PATCH excluded from capture: DSN not set ActionController::UnknownHttpMethod (TEST, accepted HTTP methods are OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, VERSION-CONTROL, REPORT, CHECKOUT, CHECKIN, UNCHECKOUT, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, ORDERPATCH, ACL, SEARCH, MKCALENDAR, and PATCH): actionpack (6.0.3.4) lib/action_dispatch/http/request.rb:431:in `check_method' actionpack (6.0.3.4) lib/action_dispatch/http/request.rb:143:in `request_method' rack (2.2.3) lib/rack/request.rb:187:in `head?' actionpack (6.0.3.4) lib/action_dispatch/journey/router.rb:113:in `find_routes' actionpack (6.0.3.4) lib/action_dispatch/journey/router.rb:32:in `serve' actionpack (6.0.3.4) lib/action_dispatch/routing/route_set.rb:834:in `call' Error during failsafe response: TEST, accepted HTTP methods are OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, VERSION-CONTROL, REPORT, CHECKOUT, CHECKIN, UNCHECKOUT, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, ORDERPATCH, ACL, SEARCH, MKCALENDAR, and PATCH /usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/http/request.rb:431:in `check_method' /usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/http/request.rb:143:in `request_method' /usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/rack-2.2.3/lib/rack/request.rb:187:in `head?' /usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/journey/router.rb:113:in `find_routes' /usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/journey/router.rb:32:in `serve' /usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/routing/route_set.rb:834:in `call' /usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/middleware/show_exceptions.rb:50:in `render_exception' /usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/middleware/show_exceptions.rb:36:in `rescue in call' /usr/local/var/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/actionpack-6.0.3.4/lib/action_dispatch/middleware/show_exceptions.rb:31:in `call' # ... ``` Now, to prevent the redundant exception, we overwrite `request_method` before passing `env` down to `config.exceptions_app`. `action_dispatch.original_request_method` is set to keep the original request method available for inspection. --- actionpack/CHANGELOG.md | 4 ++++ .../action_dispatch/middleware/show_exceptions.rb | 2 ++ .../test/application/middleware/exceptions_test.rb | 14 ++++++++++++++ 3 files changed, 20 insertions(+) diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index c44f8db7b5..c9f1487b50 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,5 +1,9 @@ ## Unreleased +* Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`. + + *Alex Robbin* + * Add `redirect_back_or_to(fallback_location, **)` as a more aesthetically pleasing version of `redirect_back fallback_location:, **`. The old method name is retained without explicit deprecation. diff --git a/actionpack/lib/action_dispatch/middleware/show_exceptions.rb b/actionpack/lib/action_dispatch/middleware/show_exceptions.rb index a35c0da3d9..7bc5d2a8d4 100644 --- a/actionpack/lib/action_dispatch/middleware/show_exceptions.rb +++ b/actionpack/lib/action_dispatch/middleware/show_exceptions.rb @@ -46,7 +46,9 @@ module ActionDispatch status = wrapper.status_code request.set_header "action_dispatch.exception", wrapper.unwrapped_exception request.set_header "action_dispatch.original_path", request.path_info + request.set_header "action_dispatch.original_request_method", request.raw_request_method request.path_info = "/#{status}" + request.request_method = "GET" response = @exceptions_app.call(request.env) response[1]["X-Cascade"] == "pass" ? pass_response(status) : response rescue Exception => failsafe_error diff --git a/railties/test/application/middleware/exceptions_test.rb b/railties/test/application/middleware/exceptions_test.rb index 87529c951c..098f06254c 100644 --- a/railties/test/application/middleware/exceptions_test.rb +++ b/railties/test/application/middleware/exceptions_test.rb @@ -51,6 +51,20 @@ module ApplicationTests assert_equal 405, last_response.status end + test "renders unknown http methods as 405 when routes are used as the custom exceptions app" do + app_file "config/routes.rb", <<-RUBY + Rails.application.routes.draw do + end + RUBY + + add_to_config "config.exceptions_app = self.routes" + + app.config.action_dispatch.show_exceptions = true + + request "/", { "REQUEST_METHOD" => "NOT_AN_HTTP_METHOD" } + assert_equal 405, last_response.status + end + test "uses custom exceptions app" do add_to_config <<-RUBY config.exceptions_app = lambda do |env|