From 7918ba4e036d26fa36a433171f3b49d9be05d9eb Mon Sep 17 00:00:00 2001
From: Joel Sugarman <joel.sugarman@digital.justice.gov.uk>
Date: Thu, 28 Nov 2024 16:43:56 +0000
Subject: [PATCH 1/3] AP-5524 extension: handle invalid format request with 404

Scripted probing attacks may use format modifiers on their
request. This handles them with a 404. The advatage
of this to not give the attacker info on what is a server
error and to not raise this an actual error in the code base.

We have an alert for 404s (exceeding 100) in a 24 hour period
which will alert us to a serious probing attack in any event.
---
 app/controllers/errors_controller.rb    |  5 ++++-
 spec/requests/errors_controller_spec.rb | 26 ++++++++++++++++++++++++-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/app/controllers/errors_controller.rb b/app/controllers/errors_controller.rb
index 1628d3bc14..1f247f1235 100644
--- a/app/controllers/errors_controller.rb
+++ b/app/controllers/errors_controller.rb
@@ -7,7 +7,10 @@
 class ErrorsController < ApplicationController
   before_action :update_locale, :set_error_name
   def show
-    render :show, status: status_for(@error_name)
+    respond_to do |format|
+      format.html { render :show, status: status_for(@error_name) }
+      format.all { render plain: "Not found", status: :not_found }
+    end
   end
 
 private
diff --git a/spec/requests/errors_controller_spec.rb b/spec/requests/errors_controller_spec.rb
index 87459ca5d9..2426acb112 100644
--- a/spec/requests/errors_controller_spec.rb
+++ b/spec/requests/errors_controller_spec.rb
@@ -9,7 +9,7 @@
     let(:get_invalid_path) { get("/unknown/path") }
 
     context "with default locale" do
-      it "responds with http status" do
+      it "responds with expected http status" do
         get_invalid_path
         expect(response).to have_http_status(:not_found)
       end
@@ -29,6 +29,30 @@
     end
   end
 
+  context "when page not found due to non-html format" do
+    let(:get_invalid_path) { get("/unknown/path.xml") }
+
+    context "with default locale" do
+      it "responds with expected http status" do
+        get_invalid_path
+        expect(response).to have_http_status(:not_found)
+      end
+
+      it "renders not found plain text" do
+        get_invalid_path
+        expect(response.body).to eq("Not found")
+      end
+    end
+
+    context "with Welsh locale", :use_welsh_locale do
+      it "displays the correct content" do
+        get("/unknown/path.xml", params: { locale: :cy })
+
+        expect(response.body).to eq("Not found")
+      end
+    end
+  end
+
   context "when page not found due to object not found" do
     let(:get_invalid_id) { get feedback_path(SecureRandom.uuid) }
 

From 605c8a16942c3a20118c609e642810864627e753 Mon Sep 17 00:00:00 2001
From: Joel Sugarman <joel.sugarman@digital.justice.gov.uk>
Date: Thu, 28 Nov 2024 18:08:32 +0000
Subject: [PATCH 2/3] remove respond_to test

---
 app/controllers/errors_controller.rb | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/app/controllers/errors_controller.rb b/app/controllers/errors_controller.rb
index 1f247f1235..1628d3bc14 100644
--- a/app/controllers/errors_controller.rb
+++ b/app/controllers/errors_controller.rb
@@ -7,10 +7,7 @@
 class ErrorsController < ApplicationController
   before_action :update_locale, :set_error_name
   def show
-    respond_to do |format|
-      format.html { render :show, status: status_for(@error_name) }
-      format.all { render plain: "Not found", status: :not_found }
-    end
+    render :show, status: status_for(@error_name)
   end
 
 private

From 44bcc03ff5775c99986a4328ba7b07f62e31d977 Mon Sep 17 00:00:00 2001
From: Joel Sugarman <joel.sugarman@digital.justice.gov.uk>
Date: Thu, 28 Nov 2024 19:56:50 +0000
Subject: [PATCH 3/3] readd respond_to test

---
 app/controllers/errors_controller.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/app/controllers/errors_controller.rb b/app/controllers/errors_controller.rb
index 1628d3bc14..1f247f1235 100644
--- a/app/controllers/errors_controller.rb
+++ b/app/controllers/errors_controller.rb
@@ -7,7 +7,10 @@
 class ErrorsController < ApplicationController
   before_action :update_locale, :set_error_name
   def show
-    render :show, status: status_for(@error_name)
+    respond_to do |format|
+      format.html { render :show, status: status_for(@error_name) }
+      format.all { render plain: "Not found", status: :not_found }
+    end
   end
 
 private