Fix issues with bogus % encoded sequences in URLs

Add a URI sanitizer to the rack stack avoid rack throwing exceptions on the server side, and ignore errors decoding components on the client side. Fixes #1101
2015-12-07 13:52:20 +00:00 · 2015-12-07 13:52:20 +00:00 · e20bb507f1
commit e20bb507f1
parent d218d5bf7d
4 changed files with 25 additions and 11 deletions
--- a/3
+++ b/3
@ -54,6 +54,9 @@ gem "i18n-js", ">= 3.0.0.rc10"
 gem "rack-cors"
 gem "actionpack-page_caching"

+# Sanitise URIs
+gem "rack-uri_sanitizer"
+
 # Omniauth for authentication
 gem "omniauth"
 gem "omniauth-openid"
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -39,12 +39,12 @@ GEM
      minitest (~> 5.1)
      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
-    addressable (2.3.8)
+    addressable (2.4.0)
    arel (6.0.3)
    ast (2.1.0)
    astrolabe (1.3.1)
      parser (~> 2.2)
-    autoprefixer-rails (6.1.0.1)
+    autoprefixer-rails (6.1.2)
      execjs
      json
    bigdecimal (1.1.0)
@ -70,10 +70,11 @@ GEM
    colorize (0.7.7)
    composite_primary_keys (8.1.1)
      activerecord (~> 4.2.0)
-    coveralls (0.8.9)
+    concurrent-ruby (1.0.0)
+    coveralls (0.8.10)
      json (~> 1.8)
      rest-client (>= 1.6.8, < 2)
-      simplecov (~> 0.10.0)
+      simplecov (~> 0.11.0)
      term-ansicolor (~> 1.3)
      thor (~> 0.19.1)
      tins (~> 1.6.0)
@ -146,14 +147,14 @@ GEM
      mime-types (>= 1.16, < 3)
    mime-types (2.99)
    mimemagic (0.3.0)
-    mini_portile (0.6.2)
+    mini_portile2 (2.0.0)
    minitest (5.8.3)
    multi_json (1.11.2)
    multi_xml (0.5.5)
    multipart-post (2.0.0)
    netrc (0.11.0)
-    nokogiri (1.6.6.4)
-      mini_portile (~> 0.6.0)
+    nokogiri (1.6.7)
+      mini_portile2 (~> 2.0.0.rc2)
    nokogumbo (1.4.1)
      nokogiri
    oauth (0.4.7)
@ -197,7 +198,7 @@ GEM
    parser (2.2.3.0)
      ast (>= 1.1, < 3.0)
    pg (0.18.4)
-    poltergeist (1.8.0)
+    poltergeist (1.8.1)
      capybara (~> 2.1)
      cliver (~> 0.3.1)
      multi_json (~> 1.0)
@ -213,6 +214,7 @@ GEM
      ruby-openid (>= 2.1.8)
    rack-test (0.6.3)
      rack (>= 1.0)
+    rack-uri_sanitizer (0.0.2)
    rails (4.2.5)
      actionmailer (= 4.2.5)
      actionpack (= 4.2.5)
@ -270,13 +272,14 @@ GEM
      sprockets (>= 2.8, < 4.0)
      sprockets-rails (>= 2.0, < 4.0)
      tilt (>= 1.1, < 3)
-    simplecov (0.10.0)
+    simplecov (0.11.1)
      docile (~> 1.1.0)
      json (~> 1.8)
      simplecov-html (~> 0.10.0)
    simplecov-html (0.10.0)
    soap4r-ruby1.9 (2.0.5)
-    sprockets (3.4.0)
+    sprockets (3.5.1)
+      concurrent-ruby (~> 1.0)
      rack (> 1, < 3)
    sprockets-rails (2.3.3)
      actionpack (>= 3.0)
@ -350,6 +353,7 @@ DEPENDENCIES
  psych
  r2
  rack-cors
+  rack-uri_sanitizer
  rails (= 4.2.5)
  rails-i18n (~> 4.0.0)
  redcarpet
--- a/app/assets/javascripts/osm.js.erb
+++ b/app/assets/javascripts/osm.js.erb
@ -53,7 +53,12 @@ OSM = {
        j = pair.indexOf('='),
        key = pair.slice(0, j),
        val = pair.slice(++j);
-      params[key] = decodeURIComponent(val);
+
+      try {
+        params[key] = decodeURIComponent(val);
+      } catch (e) {
+        // Ignore parse exceptions
+      }
    }

    return params;
--- a/config/initializers/uri_sanitizer.rb
+++ b/config/initializers/uri_sanitizer.rb
@ -0,0 +1,2 @@
+# Add URI sanitizer to rack middleware
+Rails.configuration.middleware.insert_before Rack::Runtime, Rack::URISanitizer