Fix issues with bogus % encoded sequences in URLs

Add a URI sanitizer to the rack stack avoid rack throwing
exceptions on the server side, and ignore errors decoding
components on the client side.

Fixes #1101

diff --git a/Gemfile b/Gemfile
index 8f81ab3ec943e7b46bbd6eea9cb15eb374e93179..3789c9fb8df1a6ac500e6ed5787a7c5782a3edce 100644 (file)
--- a/Gemfile
+++ b/Gemfile
@@ -54,6 +54,9 @@ gem "i18n-js", ">= 3.0.0.rc10"
 gem "rack-cors"
 gem "actionpack-page_caching"
 
+# Sanitise URIs
+gem "rack-uri_sanitizer"
+
 # Omniauth for authentication
 gem "omniauth"
 gem "omniauth-openid"

diff --git a/Gemfile.lock b/Gemfile.lock
index 18015c244f9d307ce8ed5dd7d2328fe32cdb2a75..83d9ae473bce5ca70e45f576d25370da8622279b 100644 (file)
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -39,12 +39,12 @@ GEM
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    addressable (2.3.8)
+    addressable (2.4.0)
     arel (6.0.3)
     ast (2.1.0)
     astrolabe (1.3.1)
       parser (~> 2.2)
-    autoprefixer-rails (6.1.0.1)
+    autoprefixer-rails (6.1.2)
       execjs
       json
     bigdecimal (1.1.0)
@@ -70,10 +70,11 @@ GEM
     colorize (0.7.7)
     composite_primary_keys (8.1.1)
       activerecord (~> 4.2.0)
-    coveralls (0.8.9)
+    concurrent-ruby (1.0.0)
+    coveralls (0.8.10)
       json (~> 1.8)
       rest-client (>= 1.6.8, < 2)
-      simplecov (~> 0.10.0)
+      simplecov (~> 0.11.0)
       term-ansicolor (~> 1.3)
       thor (~> 0.19.1)
       tins (~> 1.6.0)
@@ -146,14 +147,14 @@ GEM
       mime-types (>= 1.16, < 3)
     mime-types (2.99)
     mimemagic (0.3.0)
-    mini_portile (0.6.2)
+    mini_portile2 (2.0.0)
     minitest (5.8.3)
     multi_json (1.11.2)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
     netrc (0.11.0)
-    nokogiri (1.6.6.4)
-      mini_portile (~> 0.6.0)
+    nokogiri (1.6.7)
+      mini_portile2 (~> 2.0.0.rc2)
     nokogumbo (1.4.1)
       nokogiri
     oauth (0.4.7)
@@ -197,7 +198,7 @@ GEM
     parser (2.2.3.0)
       ast (>= 1.1, < 3.0)
     pg (0.18.4)
-    poltergeist (1.8.0)
+    poltergeist (1.8.1)
       capybara (~> 2.1)
       cliver (~> 0.3.1)
       multi_json (~> 1.0)
@@ -213,6 +214,7 @@ GEM
       ruby-openid (>= 2.1.8)
     rack-test (0.6.3)
       rack (>= 1.0)
+    rack-uri_sanitizer (0.0.2)
     rails (4.2.5)
       actionmailer (= 4.2.5)
       actionpack (= 4.2.5)
@@ -270,13 +272,14 @@ GEM
       sprockets (>= 2.8, < 4.0)
       sprockets-rails (>= 2.0, < 4.0)
       tilt (>= 1.1, < 3)
-    simplecov (0.10.0)
+    simplecov (0.11.1)
       docile (~> 1.1.0)
       json (~> 1.8)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.0)
     soap4r-ruby1.9 (2.0.5)
-    sprockets (3.4.0)
+    sprockets (3.5.1)
+      concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (2.3.3)
       actionpack (>= 3.0)
@@ -350,6 +353,7 @@ DEPENDENCIES
   psych
   r2
   rack-cors
+  rack-uri_sanitizer
   rails (= 4.2.5)
   rails-i18n (~> 4.0.0)
   redcarpet

diff --git a/app/assets/javascripts/osm.js.erb b/app/assets/javascripts/osm.js.erb
index 0f044c24fea192b2983f820dc81d29bdcf7e04f9..6a8b856bee2beaf155122cfcbb760a47e4931c64 100644 (file)
--- a/app/assets/javascripts/osm.js.erb
+++ b/app/assets/javascripts/osm.js.erb
@@ -53,7 +53,12 @@ OSM = {
         j = pair.indexOf('='),
         key = pair.slice(0, j),
         val = pair.slice(++j);
-      params[key] = decodeURIComponent(val);
+
+      try {
+        params[key] = decodeURIComponent(val);
+      } catch (e) {
+        // Ignore parse exceptions
+      }
     }
 
     return params;

diff --git a/config/initializers/uri_sanitizer.rb b/config/initializers/uri_sanitizer.rb
new file mode 100644 (file)
index 0000000..7f3f3d0
--- /dev/null
+++ b/config/initializers/uri_sanitizer.rb
@@ -0,0 +1,2 @@
+# Add URI sanitizer to rack middleware
+Rails.configuration.middleware.insert_before Rack::Runtime, Rack::URISanitizer