From 9384ecc860310e2aacf4f1c9579fc0c4507617a2 Mon Sep 17 00:00:00 2001 From: Will Kahn-Greene Date: Sat, 2 Nov 2024 08:26:13 -0400 Subject: [PATCH] bug-1902001: fix source highlight with bad urls (#6783) If the url provided isn't a valid url, treat it as if the document doesn't exist and return an HTTP 404. --- webapp/crashstats/sources/tests/test_views.py | 8 ++++++++ webapp/crashstats/sources/views.py | 7 ++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/webapp/crashstats/sources/tests/test_views.py b/webapp/crashstats/sources/tests/test_views.py index 5eb2c12964..c846640d74 100644 --- a/webapp/crashstats/sources/tests/test_views.py +++ b/webapp/crashstats/sources/tests/test_views.py @@ -67,6 +67,14 @@ def test_highlight_url(client, requests_mock): assert response["content-security-policy"] +def test_highlight_bad_url(client, requests_mock): + url = reverse("sources:highlight_url") + + # Invalid url is treated as a 404 + response = client.get(url, {"url": "http://example.com[@a.xxx.org/?"}) + assert response.status_code == 404 + + def test_highlight_line(client, requests_mock): requests_mock.get( f"https://{HOST}/200.h", diff --git a/webapp/crashstats/sources/views.py b/webapp/crashstats/sources/views.py index 0f3253f5dd..ad643f3691 100644 --- a/webapp/crashstats/sources/views.py +++ b/webapp/crashstats/sources/views.py @@ -53,7 +53,12 @@ def highlight_url(request): if not url: return HttpResponseBadRequest("No url specified.") - parsed = urlsplit(url) + try: + parsed = urlsplit(url) + except ValueError: + # If the value can't be parsed as a url, then treat it as if the document + # doesn't exist. Bug #1902001. + return HttpResponseNotFound("Document at URL does not exist.") # We will only pull urls from allowed hosts if parsed.netloc not in ALLOWED_SOURCE_HOSTS: