Fix webfinger returning wrong status code on malformed or missing param (#13759)
Fixes #13757
This commit is contained in:
		| @@ -8,7 +8,8 @@ module WellKnown | ||||
|     before_action :set_account | ||||
|     before_action :check_account_suspension | ||||
|  | ||||
|     rescue_from ActiveRecord::RecordNotFound, ActionController::ParameterMissing, with: :not_found | ||||
|     rescue_from ActiveRecord::RecordNotFound, with: :not_found | ||||
|     rescue_from ActionController::ParameterMissing, WebfingerResource::InvalidRequest, with: :bad_request | ||||
|  | ||||
|     def show | ||||
|       expires_in 3.days, public: true | ||||
| @@ -37,6 +38,10 @@ module WellKnown | ||||
|       expires_in(3.minutes, public: true) && gone if @account.suspended? | ||||
|     end | ||||
|  | ||||
|     def bad_request | ||||
|       head 400 | ||||
|     end | ||||
|  | ||||
|     def not_found | ||||
|       head 404 | ||||
|     end | ||||
|   | ||||
| @@ -3,6 +3,8 @@ | ||||
| class WebfingerResource | ||||
|   attr_reader :resource | ||||
|  | ||||
|   class InvalidRequest < StandardError; end | ||||
|  | ||||
|   def initialize(resource) | ||||
|     @resource = resource | ||||
|   end | ||||
| @@ -14,7 +16,7 @@ class WebfingerResource | ||||
|     when /\@/ | ||||
|       username_from_acct | ||||
|     else | ||||
|       raise(ActiveRecord::RecordNotFound) | ||||
|       raise InvalidRequest | ||||
|     end | ||||
|   end | ||||
|  | ||||
|   | ||||
| @@ -84,5 +84,15 @@ PEM | ||||
|  | ||||
|       expect(response).to have_http_status(:not_found) | ||||
|     end | ||||
|  | ||||
|     it 'returns http bad request when not given a resource parameter' do | ||||
|       get :show, params: { }, format: :json | ||||
|       expect(response).to have_http_status(:bad_request) | ||||
|     end | ||||
|  | ||||
|     it 'returns http bad request when given a nonsense parameter' do | ||||
|       get :show, params: { resource: 'df/:dfkj' } | ||||
|       expect(response).to have_http_status(:bad_request) | ||||
|     end | ||||
|   end | ||||
| end | ||||
|   | ||||
| @@ -39,7 +39,7 @@ describe WebfingerResource do | ||||
|  | ||||
|         expect { | ||||
|           WebfingerResource.new(resource).username | ||||
|         }.to raise_error(ActiveRecord::RecordNotFound) | ||||
|         }.to raise_error(WebfingerResource::InvalidRequest) | ||||
|       end | ||||
|  | ||||
|       it 'finds the username in a valid https route' do | ||||
| @@ -123,5 +123,15 @@ describe WebfingerResource do | ||||
|         expect(result).to eq 'alice' | ||||
|       end | ||||
|     end | ||||
|  | ||||
|     describe 'with a nonsense resource' do | ||||
|       it 'raises InvalidRequest' do | ||||
|         resource = 'df/:dfkj' | ||||
|  | ||||
|         expect { | ||||
|           WebfingerResource.new(resource).username | ||||
|         }.to raise_error(WebfingerResource::InvalidRequest) | ||||
|       end | ||||
|     end | ||||
|   end | ||||
| end | ||||
|   | ||||
		Reference in New Issue
	
	Block a user