Don't show error messages that could contain private information.

Fix a potential exploit where private information could be leaked if it was contained in the error message of an unexpected exception. For example, NoMethodError contains a raw dump of the object in the error message, which could leak private user data if you could force a User object to raise a NoMethodError. Fix the error page to only show known-safe error messages from expected exceptions, not unknown error messages from unexpected exceptions. API changes: * JSON errors now have a `message` param. The message will be blank for unknown exceptions. * XML errors have a new format. This is a breaking change. They now look like this: <result> <success type="boolean">false</success> <error>PaginationExtension::PaginationError</error> <message>You cannot go beyond page 5000.</message> <backtrace type="array"> <backtrace>app/logical/pagination_extension.rb:54:in `paginate'</backtrace> <backtrace>app/models/application_record.rb:17:in `paginate'</backtrace> <backtrace>app/logical/post_query_builder.rb:529:in `paginated_posts'</backtrace> <backtrace>app/logical/post_sets/post.rb:95:in `posts'</backtrace> <backtrace>app/controllers/posts_controller.rb:22:in `index'</backtrace> </backtrace> </result> instead of like this: <result success="false">You cannot go beyond page 5000.</result>
2022-02-06 17:02:07 -06:00
parent 8b5d687b7a
commit 7bed81812d
11 changed files with 74 additions and 41 deletions
--- a/test/functional/application_controller_test.rb
+++ b/test/functional/application_controller_test.rb
@@ -36,6 +36,45 @@ class ApplicationControllerTest < ActionDispatch::IntegrationTest
      end
    end

+    context "on an unexpected error" do
+      setup do
+        User.stubs(:find).raises(NoMethodError.new("pwned"))
+        @user = create(:user)
+      end
+
+      should "not return the error message in the HTML response" do
+        get user_path(@user)
+
+        assert_response 500
+        assert_match(/NoMethodError/, response.body.to_s)
+        assert_no_match(/pwned/, response.body.to_s)
+      end
+
+      should "not return the error message in the JSON response" do
+        get user_path(@user, format: :json)
+
+        assert_response 500
+        assert_match(/NoMethodError/, response.body.to_s)
+        assert_no_match(/pwned/, response.body.to_s)
+      end
+
+      should "not return the error message in the XML response" do
+        get user_path(@user, format: :xml)
+
+        assert_response 500
+        assert_match(/NoMethodError/, response.body.to_s)
+        assert_no_match(/pwned/, response.body.to_s)
+      end
+
+      should "not return the error message in the JS response" do
+        get user_path(@user, format: :js)
+
+        assert_response 500
+        assert_match(/NoMethodError/, response.body.to_s)
+        assert_no_match(/pwned/, response.body.to_s)
+      end
+    end
+
    context "on api authentication" do
      setup do
        @user = create(:user, password: "password")