From 7918ba4e036d26fa36a433171f3b49d9be05d9eb Mon Sep 17 00:00:00 2001 From: Joel Sugarman <joel.sugarman@digital.justice.gov.uk> Date: Thu, 28 Nov 2024 16:43:56 +0000 Subject: [PATCH 1/3] AP-5524 extension: handle invalid format request with 404 Scripted probing attacks may use format modifiers on their request. This handles them with a 404. The advatage of this to not give the attacker info on what is a server error and to not raise this an actual error in the code base. We have an alert for 404s (exceeding 100) in a 24 hour period which will alert us to a serious probing attack in any event. --- app/controllers/errors_controller.rb | 5 ++++- spec/requests/errors_controller_spec.rb | 26 ++++++++++++++++++++++++- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/app/controllers/errors_controller.rb b/app/controllers/errors_controller.rb index 1628d3bc14..1f247f1235 100644 --- a/app/controllers/errors_controller.rb +++ b/app/controllers/errors_controller.rb @@ -7,7 +7,10 @@ class ErrorsController < ApplicationController before_action :update_locale, :set_error_name def show - render :show, status: status_for(@error_name) + respond_to do |format| + format.html { render :show, status: status_for(@error_name) } + format.all { render plain: "Not found", status: :not_found } + end end private diff --git a/spec/requests/errors_controller_spec.rb b/spec/requests/errors_controller_spec.rb index 87459ca5d9..2426acb112 100644 --- a/spec/requests/errors_controller_spec.rb +++ b/spec/requests/errors_controller_spec.rb @@ -9,7 +9,7 @@ let(:get_invalid_path) { get("/unknown/path") } context "with default locale" do - it "responds with http status" do + it "responds with expected http status" do get_invalid_path expect(response).to have_http_status(:not_found) end @@ -29,6 +29,30 @@ end end + context "when page not found due to non-html format" do + let(:get_invalid_path) { get("/unknown/path.xml") } + + context "with default locale" do + it "responds with expected http status" do + get_invalid_path + expect(response).to have_http_status(:not_found) + end + + it "renders not found plain text" do + get_invalid_path + expect(response.body).to eq("Not found") + end + end + + context "with Welsh locale", :use_welsh_locale do + it "displays the correct content" do + get("/unknown/path.xml", params: { locale: :cy }) + + expect(response.body).to eq("Not found") + end + end + end + context "when page not found due to object not found" do let(:get_invalid_id) { get feedback_path(SecureRandom.uuid) } From 605c8a16942c3a20118c609e642810864627e753 Mon Sep 17 00:00:00 2001 From: Joel Sugarman <joel.sugarman@digital.justice.gov.uk> Date: Thu, 28 Nov 2024 18:08:32 +0000 Subject: [PATCH 2/3] remove respond_to test --- app/controllers/errors_controller.rb | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/app/controllers/errors_controller.rb b/app/controllers/errors_controller.rb index 1f247f1235..1628d3bc14 100644 --- a/app/controllers/errors_controller.rb +++ b/app/controllers/errors_controller.rb @@ -7,10 +7,7 @@ class ErrorsController < ApplicationController before_action :update_locale, :set_error_name def show - respond_to do |format| - format.html { render :show, status: status_for(@error_name) } - format.all { render plain: "Not found", status: :not_found } - end + render :show, status: status_for(@error_name) end private From 44bcc03ff5775c99986a4328ba7b07f62e31d977 Mon Sep 17 00:00:00 2001 From: Joel Sugarman <joel.sugarman@digital.justice.gov.uk> Date: Thu, 28 Nov 2024 19:56:50 +0000 Subject: [PATCH 3/3] readd respond_to test --- app/controllers/errors_controller.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/app/controllers/errors_controller.rb b/app/controllers/errors_controller.rb index 1628d3bc14..1f247f1235 100644 --- a/app/controllers/errors_controller.rb +++ b/app/controllers/errors_controller.rb @@ -7,7 +7,10 @@ class ErrorsController < ApplicationController before_action :update_locale, :set_error_name def show - render :show, status: status_for(@error_name) + respond_to do |format| + format.html { render :show, status: status_for(@error_name) } + format.all { render plain: "Not found", status: :not_found } + end end private