Browse Source

Fix webfinger returning wrong status code on malformed or missing param (#13759)

Fixes #13757
master
ThibG 1 year ago
committed by GitHub
parent
commit
71fce71c94
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 30 additions and 3 deletions
  1. +6
    -1
      app/controllers/well_known/webfinger_controller.rb
  2. +3
    -1
      app/lib/webfinger_resource.rb
  3. +10
    -0
      spec/controllers/well_known/webfinger_controller_spec.rb
  4. +11
    -1
      spec/lib/webfinger_resource_spec.rb

+ 6
- 1
app/controllers/well_known/webfinger_controller.rb View File

@ -8,7 +8,8 @@ module WellKnown
before_action :set_account
before_action :check_account_suspension
rescue_from ActiveRecord::RecordNotFound, ActionController::ParameterMissing, with: :not_found
rescue_from ActiveRecord::RecordNotFound, with: :not_found
rescue_from ActionController::ParameterMissing, WebfingerResource::InvalidRequest, with: :bad_request
def show
expires_in 3.days, public: true
@ -37,6 +38,10 @@ module WellKnown
expires_in(3.minutes, public: true) && gone if @account.suspended?
end
def bad_request
head 400
end
def not_found
head 404
end

+ 3
- 1
app/lib/webfinger_resource.rb View File

@ -3,6 +3,8 @@
class WebfingerResource
attr_reader :resource
class InvalidRequest < StandardError; end
def initialize(resource)
@resource = resource
end
@ -14,7 +16,7 @@ class WebfingerResource
when /\@/
username_from_acct
else
raise(ActiveRecord::RecordNotFound)
raise InvalidRequest
end
end

+ 10
- 0
spec/controllers/well_known/webfinger_controller_spec.rb View File

@ -84,5 +84,15 @@ PEM
expect(response).to have_http_status(:not_found)
end
it 'returns http bad request when not given a resource parameter' do
get :show, params: { }, format: :json
expect(response).to have_http_status(:bad_request)
end
it 'returns http bad request when given a nonsense parameter' do
get :show, params: { resource: 'df/:dfkj' }
expect(response).to have_http_status(:bad_request)
end
end
end

+ 11
- 1
spec/lib/webfinger_resource_spec.rb View File

@ -39,7 +39,7 @@ describe WebfingerResource do
expect {
WebfingerResource.new(resource).username
}.to raise_error(ActiveRecord::RecordNotFound)
}.to raise_error(WebfingerResource::InvalidRequest)
end
it 'finds the username in a valid https route' do
@ -123,5 +123,15 @@ describe WebfingerResource do
expect(result).to eq 'alice'
end
end
describe 'with a nonsense resource' do
it 'raises InvalidRequest' do
resource = 'df/:dfkj'
expect {
WebfingerResource.new(resource).username
}.to raise_error(WebfingerResource::InvalidRequest)
end
end
end
end

Loading…
Cancel
Save