mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
82fc62ca71
When parsing HTTP request parameters, Rails delegates to a set of parsing strategies based on the MIME type. If any of these strategies raises an error Rails rescues it and raises an instance of `ActionDispatch::Http::Parameters::ParseError` with the same message as the underlying error. However, in the presence of malformed JSON, the default parameter parser for the `application/json` MIME type raises a `JSON:ParserError` with a message containing the entire malformed JSON string (the request body in this context). By raising a new error with this same message Rails inadvertently ends up logging the full HTTP request body at the `fatal` level. This request body could contain sensitive information or could be intentionally crafted to be extremely large. This commit sets the `ActionDispatch::Http::Parameters::ParseError` message to a static message which mirrors that of the corresponding `debug` log. |
||
|---|---|---|
| .. | ||
| json_params_parsing_test.rb | ||
| multipart_params_parsing_test.rb | ||
| query_string_parsing_test.rb | ||
| session_test.rb | ||
| url_encoded_params_parsing_test.rb | ||