From e20bb507f122f73d18021bf93efe85fc2e189dfb Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Mon, 7 Dec 2015 13:52:20 +0000 Subject: [PATCH] Fix issues with bogus % encoded sequences in URLs Add a URI sanitizer to the rack stack avoid rack throwing exceptions on the server side, and ignore errors decoding components on the client side. Fixes #1101 --- Gemfile | 3 +++ Gemfile.lock | 24 ++++++++++++++---------- app/assets/javascripts/osm.js.erb | 7 ++++++- config/initializers/uri_sanitizer.rb | 2 ++ 4 files changed, 25 insertions(+), 11 deletions(-) create mode 100644 config/initializers/uri_sanitizer.rb diff --git a/Gemfile b/Gemfile index 8f81ab3ec..3789c9fb8 100644 --- a/Gemfile +++ b/Gemfile @@ -54,6 +54,9 @@ gem "i18n-js", ">= 3.0.0.rc10" gem "rack-cors" gem "actionpack-page_caching" +# Sanitise URIs +gem "rack-uri_sanitizer" + # Omniauth for authentication gem "omniauth" gem "omniauth-openid" diff --git a/Gemfile.lock b/Gemfile.lock index 18015c244..83d9ae473 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -39,12 +39,12 @@ GEM minitest (~> 5.1) thread_safe (~> 0.3, >= 0.3.4) tzinfo (~> 1.1) - addressable (2.3.8) + addressable (2.4.0) arel (6.0.3) ast (2.1.0) astrolabe (1.3.1) parser (~> 2.2) - autoprefixer-rails (6.1.0.1) + autoprefixer-rails (6.1.2) execjs json bigdecimal (1.1.0) @@ -70,10 +70,11 @@ GEM colorize (0.7.7) composite_primary_keys (8.1.1) activerecord (~> 4.2.0) - coveralls (0.8.9) + concurrent-ruby (1.0.0) + coveralls (0.8.10) json (~> 1.8) rest-client (>= 1.6.8, < 2) - simplecov (~> 0.10.0) + simplecov (~> 0.11.0) term-ansicolor (~> 1.3) thor (~> 0.19.1) tins (~> 1.6.0) @@ -146,14 +147,14 @@ GEM mime-types (>= 1.16, < 3) mime-types (2.99) mimemagic (0.3.0) - mini_portile (0.6.2) + mini_portile2 (2.0.0) minitest (5.8.3) multi_json (1.11.2) multi_xml (0.5.5) multipart-post (2.0.0) netrc (0.11.0) - nokogiri (1.6.6.4) - mini_portile (~> 0.6.0) + nokogiri (1.6.7) + mini_portile2 (~> 2.0.0.rc2) nokogumbo (1.4.1) nokogiri oauth (0.4.7) @@ -197,7 +198,7 @@ GEM parser (2.2.3.0) ast (>= 1.1, < 3.0) pg (0.18.4) - poltergeist (1.8.0) + poltergeist (1.8.1) capybara (~> 2.1) cliver (~> 0.3.1) multi_json (~> 1.0) @@ -213,6 +214,7 @@ GEM ruby-openid (>= 2.1.8) rack-test (0.6.3) rack (>= 1.0) + rack-uri_sanitizer (0.0.2) rails (4.2.5) actionmailer (= 4.2.5) actionpack (= 4.2.5) @@ -270,13 +272,14 @@ GEM sprockets (>= 2.8, < 4.0) sprockets-rails (>= 2.0, < 4.0) tilt (>= 1.1, < 3) - simplecov (0.10.0) + simplecov (0.11.1) docile (~> 1.1.0) json (~> 1.8) simplecov-html (~> 0.10.0) simplecov-html (0.10.0) soap4r-ruby1.9 (2.0.5) - sprockets (3.4.0) + sprockets (3.5.1) + concurrent-ruby (~> 1.0) rack (> 1, < 3) sprockets-rails (2.3.3) actionpack (>= 3.0) @@ -350,6 +353,7 @@ DEPENDENCIES psych r2 rack-cors + rack-uri_sanitizer rails (= 4.2.5) rails-i18n (~> 4.0.0) redcarpet diff --git a/app/assets/javascripts/osm.js.erb b/app/assets/javascripts/osm.js.erb index 0f044c24f..6a8b856be 100644 --- a/app/assets/javascripts/osm.js.erb +++ b/app/assets/javascripts/osm.js.erb @@ -53,7 +53,12 @@ OSM = { j = pair.indexOf('='), key = pair.slice(0, j), val = pair.slice(++j); - params[key] = decodeURIComponent(val); + + try { + params[key] = decodeURIComponent(val); + } catch (e) { + // Ignore parse exceptions + } } return params; diff --git a/config/initializers/uri_sanitizer.rb b/config/initializers/uri_sanitizer.rb new file mode 100644 index 000000000..7f3f3d06a --- /dev/null +++ b/config/initializers/uri_sanitizer.rb @@ -0,0 +1,2 @@ +# Add URI sanitizer to rack middleware +Rails.configuration.middleware.insert_before Rack::Runtime, Rack::URISanitizer -- 2.39.5