FIX: return a 400 error instead of 500 for null injections

Many security scanners like to inject NULL in inputs causing application to exception out and return a 500 We now handle this exception and render a 400 status back
2025-05-22 16:11:08 +08:00 · 2018-09-04 12:11:42 +10:00
parent 0a14e0a256
commit 2f5c21e28c
2 changed files with 18 additions and 0 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -156,6 +156,14 @@ class ApplicationController < ActionController::Base
    end
  end

+  rescue_from ArgumentError do |e|
+    if e.message == "string contains null byte"
+      raise Discourse::InvalidParameters, e.message
+    else
+      raise e
+    end
+  end
+
  rescue_from Discourse::InvalidParameters do |e|
    message = I18n.t('invalid_params', message: e.message)
    if (request.format && request.format.json?) || request.xhr? || !request.get?