Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Parsing query params may lead to unhandled Rack exception. #2488

Open
ericproulx opened this issue Aug 2, 2024 · 0 comments
Open

Parsing query params may lead to unhandled Rack exception. #2488

ericproulx opened this issue Aug 2, 2024 · 0 comments
Labels

Comments

@ericproulx
Copy link
Contributor

These exceptions are not handled when parsing query params.

We need to rescue them when building params and whenever we are calling Rack::Utils.parse_nested_query

potential_version = Rack::Utils.parse_nested_query(env[Rack::QUERY_STRING])[parameter_key]

fmt = Rack::Utils.parse_nested_query(env[Rack::QUERY_STRING])[FORMAT]

This test will raise an Rack::QueryParser::ParamsTooDeepError. Nonetheless, having a rescue_from :all would handle it but I don't think its user's responsibility.

context 'query params ParamsTooDeepError' do
  subject { last_response }

  let(:params) do
    "foo#{"[a]" * Rack::Utils.param_depth_limit}=bar"
  end

  let(:api) do
    Class.new(described_class) do
      get { 'yes!' }
    end
  end

  let(:app) { api }

  before { get "/?#{params}" }

  it { is_expected.to be_successful }
end

Here are other cases from Rack's test suite
https://github.com/rack/rack/blob/df241355a7f122dc22437398267c1d5f0b27e1ad/test/spec_utils.rb#L230-L239

In the end, we should return a 400 according to Rack

@dblock dblock added the bug? label Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants