Class: StrictRequestUri

Inherits:

Object

• Object
• StrictRequestUri

Defined in:

lib/strict_request_uri.rb

Overview

Sometimes junk gets appended to the URLs clicked in e-mails. This junk then gets sent by browsers undecoded, and causes Unicode-related exceptions when the full request URI or path is rebuilt for ActionDispatch.

We can fix this by iteratively removing bytes from the end of the URL until it becomes parseable.

We do however answer to those URLs with a 400 to indicate clients that those requests are not welcome. This also allows us to tell the users that they are using a URL which is in fact not really valid.

Constant Summary

VERSION =

'1.0.2'

Instance Method Summary

• #call(env) ⇒ Object
• #initialize(app, &error_page_rack_app) ⇒ StrictRequestUri constructor

  Inits the middleware.

Constructor Details

#initialize(app, &error_page_rack_app) ⇒ StrictRequestUri

Inits the middleware. The optional proc should be a Rack application that will render the error page. To make a controller render that page, use <ControllerClass>.action()

use RequestUriCleanup do | env |
    ErrorsController.action(:invalid_request).call(env)
end

# File 'lib/strict_request_uri.rb', line 22

def initialize(app, &error_page_rack_app)
  @app = app
  @error_page_app = if error_page_rack_app
    error_page_rack_app
  else
    ->(env) { [400, {'Content-Type' => 'text/plain'}, ['Invalid request URI']] }
  end
end

Instance Method Details

#call(env) ⇒ Object

# File 'lib/strict_request_uri.rb', line 31

def call(env)
  # Compose the original URL, taking care not to treat it as UTF8.
  # Do not use Rack::Request since it is not really needed for this
  # (and _might be doing something with strings that we do not necessarily want).
  # For instance, Rack::Request does regexes when you ask it for the REQUEST_URI
  tainted_url = reconstruct_original_url(env)
  return @app.call(env) if string_parses_to_url?(tainted_url)
  
  # At this point we know the URL is fishy.
  referer = to_utf8(env['HTTP_REFERER'] || '(unknown)')
  env['rack.errors'].puts("Invalid URL received from referer #{referer}") if env['rack.errors']
  
  # Save the original URL so that the error page can use it
  env['strict_uri.original_invalid_url'] = tainted_url
  env['strict_uri.proposed_fixed_url'] = 
    truncate_bytes_at_end_until_parseable(tainted_url)
  
  # Strictly speaking, the parts we are going to put into QUERY_STRING and PATH_INFO
  # should _only_ be used for rendering the error page, and that's it.
  # 
  # We can therefore wipe them clean.
  env['PATH_INFO'] = '/invalid-url'
  env['QUERY_STRING'] = ''
  
  # And render the error page using the provided error app.
  @error_page_app.call(env)
end