-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Handle incorrectly UTF-8 encoded query and cookie url
Use a different exception when this situation is detected: * Sanitiser::Strategy::SanitisingError This error is not sent to Sentry. See: alphagov/govuk_app_config#402
- Loading branch information
Showing
5 changed files
with
118 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
module Sanitiser | ||
class Strategy | ||
class SanitisingError < StandardError; end | ||
|
||
class << self | ||
def call(input, sanitize_null_bytes: false) | ||
input | ||
.force_encoding(Encoding::ASCII_8BIT) | ||
.encode!(Encoding::UTF_8) | ||
if sanitize_null_bytes && Rack::UTF8Sanitizer::NULL_BYTE_REGEX.match?(input) | ||
raise NullByteInString | ||
end | ||
rescue StandardError | ||
raise SanitisingError, "Non-UTF-8 (or null) character in the query or in the cookie" | ||
end | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
require "test_helper" | ||
|
||
class SanitiserTest < ActiveSupport::TestCase | ||
include Rack::Test::Methods | ||
|
||
def app | ||
Rails.application | ||
end | ||
|
||
test "with query being correct percent-encoded UTF-8 string does not raise exception" do | ||
get "/?%41" | ||
assert last_response.successful? | ||
end | ||
|
||
test "with query being incorrect percent-encoded UTF-8 string raises SanitisingError" do | ||
assert_raises(Sanitiser::Strategy::SanitisingError) do | ||
get "/?%AD" | ||
end | ||
end | ||
|
||
test "with cookie key being correct UTF-8 does not raise exception" do | ||
header("Cookie", "\x41=value") | ||
get "/" | ||
assert last_response.successful? | ||
end | ||
|
||
test "with cookie key being incorrect UTF-8 raises exception" do | ||
header("Cookie", "\xAD=value") | ||
assert_raises(ArgumentError, match: "invalid byte sequence in UTF-8") do | ||
get "/" | ||
end | ||
end | ||
|
||
test "with cookie value being correct UTF-8 does not raise exception" do | ||
header("Cookie", "key=\x41") | ||
get "/" | ||
assert last_response.successful? | ||
end | ||
|
||
test "with cookie value being incorrect UTF-8 raises exception" do | ||
header("Cookie", "key=\xAD") | ||
assert_raises(ArgumentError, match: "invalid byte sequence in UTF-8") do | ||
get "/" | ||
end | ||
end | ||
|
||
test "with cookie path being correct UTF-8 does not raise exception" do | ||
header("Cookie", "key=value; Path=/\x41") | ||
get "/" | ||
assert last_response.successful? | ||
end | ||
|
||
test "with cookie path being incorrect UTF-8 raises exception" do | ||
header("Cookie", "key=value; Path=/\xAD") | ||
assert_raises(ArgumentError, match: "invalid byte sequence in UTF-8") do | ||
get "/" | ||
end | ||
end | ||
|
||
test "with cookie path being correct percent-encoded UTF-8 does not raise exception" do | ||
header("Cookie", "key=value; Path=/%41") | ||
get "/" | ||
assert last_response.successful? | ||
end | ||
|
||
test "with cookie path being incorrect percent-encoded UTF-8 raises SanitisingError" do | ||
header("Cookie", "key=value; Path=/%AD") | ||
assert_raises(Sanitiser::Strategy::SanitisingError) do | ||
get "/" | ||
end | ||
end | ||
|
||
test "with referrer headerbeing correct percent-encoded UTF-8 does not raise exception" do | ||
header("Referer", "http://example.com/?%41") | ||
get "/" | ||
assert last_response.successful? | ||
end | ||
|
||
test "with referrer header being incorrect percent-encoded UTF-8 does not raise exception" do | ||
header("Referer", "http://example.com/?%AD") | ||
get "/" | ||
assert last_response.successful? | ||
end | ||
end |