00dbc10b-d747-4ad7-b211-7b26d753abbb

Committed 14 Aug 2025 01:25PM UTC coverage: 0.483% (-94.9%) from 95.343%

Build # 00dbc10b-d747-4ad7-b211-7b26d753abbb

Build Type

push

circleci

Committed by

web-flow

Commit Message

Merge pull request #5181 from pulibrary/dependabot/bundler/activestorage-7.2.2.2

Bump activestorage from 7.2.2.1 to 7.2.2.2

Run Details

47 of 9721 relevant lines covered (0.48%)

0.01 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/lib/orangelight/middleware/invalid_parameter_handler.rb

# frozen_string_literal: true

# If the user enters a url that has invalid parameters
# this middleware will return a 400 status
# and the load balancer will display its own error page

module Orangelight
  module Middleware
    class InvalidParameterHandler
      def initialize(app)
        @app = app
      end

      def call(env)
        validate_for!(env)
        @app.call(env)
      rescue ActionController::BadRequest => bad_request_error
        raise bad_request_error if raise_error?(bad_request_error.message)

        Rails.logger.error "Invalid parameters passed in the request: #{bad_request_error} within the environment #{@request.inspect}"
        bad_request_response(env)
      end

      private

        def bad_request_body
          'Bad Request'
        end

        def bad_request_headers(env)
          {
            'Content-Type' => "#{request_content_type(env)}; charset=#{default_charset}",
            'Content-Length' => bad_request_body.bytesize.to_s
          }
        end

        def bad_request_response(env)
          [
            bad_request_status,
            bad_request_headers(env),
            [bad_request_body]
          ]
        end

        def bad_request_status
          400
        end

        def default_charset
          ActionDispatch::Response.default_charset
        end

        def default_content_type
          'text/html'
        end

        # Check if facet fields have empty value lists
        def facet_fields_values(params)
          facet_parameter = params.fetch(:f, [])
          raise ActionController::BadRequest, "Invalid facet parameter passed: #{facet_parameter}" unless facet_parameter.is_a?(Array) || facet_parameter.is_a?(Hash)

          facet_parameter.collect do |facet_field, value_list|
            raise ActionController::BadRequest, "Facet field #{facet_field} has a scalar value #{value_list}" if value_list.is_a?(String)

            next unless value_list.nil?
            raise ActionController::BadRequest, "Facet field #{facet_field} has a nil value"
          end
        end

        # Check if params have key with leading or trailing whitespaces
        def check_for_white_spaces(params)
          params.each_key do |k|
            next unless ((k[0].match?(/\s/) || k[-1].match?(/\s/)) && (k.is_a? String)) == true
            raise ActionController::BadRequest, "Param '#{k}' contains a space"
          end
        end

        ##
        # Previously, we were rescuing only from exceptions we recognized.
        # The problem with that is that there will be exceptions we don't recognize and
        # haven't been able to diagnose (see, e.g., https://github.com/pulibrary/orangelight/issues/1455)
        # and when those happen we want to provide the user with a graceful way forward,
        # not just an error screen. Therefore, we should rescue all errors, log the problem,
        # and redirect the user somewhere helpful.
        def raise_error?(_message)
          false
        end

        def request_content_type(env)
          request = request_for(env)
          request.formats.first || default_content_type
        end

        def request_for(env)
          ActionDispatch::Request.new(env.dup)
        end

        def valid_message_patterns
          [
            /invalid %-encoding/,
            /Facet field/,
            /Invalid facet/,
            /contains a space/
          ]
        end

        def validate_for!(env)
          # calling request.params is sufficient to trigger an error
          # see https://github.com/rack/rack/issues/337#issuecomment-46453404
          params = request_for(env).params
          check_for_white_spaces(params)
          facet_fields_values(params)
        end
    end
  end
end

1	# frozen_string_literal: true
2
3	# If the user enters a url that has invalid parameters
4	# this middleware will return a 400 status
5	# and the load balancer will display its own error page
6
7	module Orangelight	×
8	module Middleware	×
9	class InvalidParameterHandler	×
10	def initialize(app)	×
11	@app = app	×
12	end	×
13
14	def call(env)	×
15	validate_for!(env)	×
16	@app.call(env)	×
17	rescue ActionController::BadRequest => bad_request_error	×
18	raise bad_request_error if raise_error?(bad_request_error.message)	×
19
20	Rails.logger.error "Invalid parameters passed in the request: #{bad_request_error} within the environment #{@request.inspect}"	×
21	bad_request_response(env)	×
22	end	×
23
24	private	×
25
26	def bad_request_body	×
27	'Bad Request'	×
28	end	×
29
30	def bad_request_headers(env)	×
31	{	×
32	'Content-Type' => "#{request_content_type(env)}; charset=#{default_charset}",	×
33	'Content-Length' => bad_request_body.bytesize.to_s	×
34	}	×
35	end	×
36
37	def bad_request_response(env)	×
38	[	×
39	bad_request_status,	×
40	bad_request_headers(env),	×
41	[bad_request_body]	×
42	]	×
43	end	×
44
45	def bad_request_status	×
46	400	×
47	end	×
48
49	def default_charset	×
50	ActionDispatch::Response.default_charset	×
51	end	×
52
53	def default_content_type	×
54	'text/html'	×
55	end	×
56
57	# Check if facet fields have empty value lists
58	def facet_fields_values(params)	×
59	facet_parameter = params.fetch(:f, [])	×
60	raise ActionController::BadRequest, "Invalid facet parameter passed: #{facet_parameter}" unless facet_parameter.is_a?(Array) \|\| facet_parameter.is_a?(Hash)	×
61
62	facet_parameter.collect do \|facet_field, value_list\|	×
63	raise ActionController::BadRequest, "Facet field #{facet_field} has a scalar value #{value_list}" if value_list.is_a?(String)	×
64
65	next unless value_list.nil?	×
66	raise ActionController::BadRequest, "Facet field #{facet_field} has a nil value"	×
67	end	×
68	end	×
69
70	# Check if params have key with leading or trailing whitespaces
71	def check_for_white_spaces(params)	×
72	params.each_key do \|k\|	×
73	next unless ((k[0].match?(/\s/) \|\| k[-1].match?(/\s/)) && (k.is_a? String)) == true	×
74	raise ActionController::BadRequest, "Param '#{k}' contains a space"	×
75	end	×
76	end	×
77
78	##
79	# Previously, we were rescuing only from exceptions we recognized.
80	# The problem with that is that there will be exceptions we don't recognize and
81	# haven't been able to diagnose (see, e.g., https://github.com/pulibrary/orangelight/issues/1455)
82	# and when those happen we want to provide the user with a graceful way forward,
83	# not just an error screen. Therefore, we should rescue all errors, log the problem,
84	# and redirect the user somewhere helpful.
85	def raise_error?(_message)	×
86	false	×
87	end	×
88
89	def request_content_type(env)	×
90	request = request_for(env)	×
91	request.formats.first \|\| default_content_type	×
92	end	×
93
94	def request_for(env)	×
95	ActionDispatch::Request.new(env.dup)	×
96	end	×
97
98	def valid_message_patterns	×
99	[	×
100	/invalid %-encoding/,	×
101	/Facet field/,	×
102	/Invalid facet/,	×
103	/contains a space/	×
104	]	×
105	end	×
106
107	def validate_for!(env)	×
108	# calling request.params is sufficient to trigger an error
109	# see https://github.com/rack/rack/issues/337#issuecomment-46453404
110	params = request_for(env).params	×
111	check_for_white_spaces(params)	×
112	facet_fields_values(params)	×
113	end	×
114	end	×
115	end	×
116	end	×

pulibrary / orangelight / 00dbc10b-d747-4ad7-b211-7b26d753abbb

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous