From 71fce71c94b1e94ae3a7af17bfc141709b61c428 Mon Sep 17 00:00:00 2001 From: ThibG Date: Thu, 14 May 2020 23:28:06 +0200 Subject: [PATCH] Fix webfinger returning wrong status code on malformed or missing param (#13759) Fixes #13757 --- app/controllers/well_known/webfinger_controller.rb | 7 ++++++- app/lib/webfinger_resource.rb | 4 +++- .../well_known/webfinger_controller_spec.rb | 10 ++++++++++ spec/lib/webfinger_resource_spec.rb | 12 +++++++++++- 4 files changed, 30 insertions(+), 3 deletions(-) diff --git a/app/controllers/well_known/webfinger_controller.rb b/app/controllers/well_known/webfinger_controller.rb index 480e58f3f04..9de9db6ba8c 100644 --- a/app/controllers/well_known/webfinger_controller.rb +++ b/app/controllers/well_known/webfinger_controller.rb @@ -8,7 +8,8 @@ module WellKnown before_action :set_account before_action :check_account_suspension - rescue_from ActiveRecord::RecordNotFound, ActionController::ParameterMissing, with: :not_found + rescue_from ActiveRecord::RecordNotFound, with: :not_found + rescue_from ActionController::ParameterMissing, WebfingerResource::InvalidRequest, with: :bad_request def show expires_in 3.days, public: true @@ -37,6 +38,10 @@ module WellKnown expires_in(3.minutes, public: true) && gone if @account.suspended? end + def bad_request + head 400 + end + def not_found head 404 end diff --git a/app/lib/webfinger_resource.rb b/app/lib/webfinger_resource.rb index 22d78874a4b..42094548595 100644 --- a/app/lib/webfinger_resource.rb +++ b/app/lib/webfinger_resource.rb @@ -3,6 +3,8 @@ class WebfingerResource attr_reader :resource + class InvalidRequest < StandardError; end + def initialize(resource) @resource = resource end @@ -14,7 +16,7 @@ class WebfingerResource when /\@/ username_from_acct else - raise(ActiveRecord::RecordNotFound) + raise InvalidRequest end end diff --git a/spec/controllers/well_known/webfinger_controller_spec.rb b/spec/controllers/well_known/webfinger_controller_spec.rb index 20275aa63bc..46f63185b9e 100644 --- a/spec/controllers/well_known/webfinger_controller_spec.rb +++ b/spec/controllers/well_known/webfinger_controller_spec.rb @@ -84,5 +84,15 @@ PEM expect(response).to have_http_status(:not_found) end + + it 'returns http bad request when not given a resource parameter' do + get :show, params: { }, format: :json + expect(response).to have_http_status(:bad_request) + end + + it 'returns http bad request when given a nonsense parameter' do + get :show, params: { resource: 'df/:dfkj' } + expect(response).to have_http_status(:bad_request) + end end end diff --git a/spec/lib/webfinger_resource_spec.rb b/spec/lib/webfinger_resource_spec.rb index 287537a2610..236e9f3e2d7 100644 --- a/spec/lib/webfinger_resource_spec.rb +++ b/spec/lib/webfinger_resource_spec.rb @@ -39,7 +39,7 @@ describe WebfingerResource do expect { WebfingerResource.new(resource).username - }.to raise_error(ActiveRecord::RecordNotFound) + }.to raise_error(WebfingerResource::InvalidRequest) end it 'finds the username in a valid https route' do @@ -123,5 +123,15 @@ describe WebfingerResource do expect(result).to eq 'alice' end end + + describe 'with a nonsense resource' do + it 'raises InvalidRequest' do + resource = 'df/:dfkj' + + expect { + WebfingerResource.new(resource).username + }.to raise_error(WebfingerResource::InvalidRequest) + end + end end end