7bed81812d
Fix a potential exploit where private information could be leaked if
it was contained in the error message of an unexpected exception.
For example, NoMethodError contains a raw dump of the object in the
error message, which could leak private user data if you could force a
User object to raise a NoMethodError.
Fix the error page to only show known-safe error messages from expected
exceptions, not unknown error messages from unexpected exceptions.
API changes:
* JSON errors now have a `message` param. The message will be blank for unknown exceptions.
* XML errors have a new format. This is a breaking change. They now look like this:
<result>
<success type="boolean">false</success>
<error>PaginationExtension::PaginationError</error>
<message>You cannot go beyond page 5000.</message>
<backtrace type="array">
<backtrace>app/logical/pagination_extension.rb:54:in `paginate'</backtrace>
<backtrace>app/models/application_record.rb:17:in `paginate'</backtrace>
<backtrace>app/logical/post_query_builder.rb:529:in `paginated_posts'</backtrace>
<backtrace>app/logical/post_sets/post.rb:95:in `posts'</backtrace>
<backtrace>app/controllers/posts_controller.rb:22:in `index'</backtrace>
</backtrace>
</result>
instead of like this:
<result success="false">You cannot go beyond page 5000.</result>
118 lines
2.8 KiB
Ruby
118 lines
2.8 KiB
Ruby
require "test_helper"
|
|
|
|
class StaticControllerTest < ActionDispatch::IntegrationTest
|
|
context "site_map action" do
|
|
should "work for anonymous users" do
|
|
get site_map_path
|
|
assert_response :success
|
|
end
|
|
|
|
should "work for admin users" do
|
|
get_auth site_map_path, create(:admin_user)
|
|
assert_response :success
|
|
end
|
|
end
|
|
|
|
context "sitemap action" do
|
|
[Artist, ForumTopic, Pool, Post, Tag, User, WikiPage].each do |klass|
|
|
should "work for #{klass.model_name.plural}" do
|
|
as(create(:user)) { create_list(klass.model_name.singular.to_sym, 3) }
|
|
get sitemap_path(sitemap: klass.model_name.plural), as: :xml
|
|
|
|
assert_response :success
|
|
assert_equal(1, response.parsed_body.css("sitemap loc").size)
|
|
end
|
|
end
|
|
end
|
|
|
|
context "dtext_help action" do
|
|
should "work" do
|
|
get dtext_help_path(format: :js), xhr: true
|
|
assert_response :success
|
|
end
|
|
end
|
|
|
|
context "terms_of_service action" do
|
|
should "work" do
|
|
get terms_of_service_path
|
|
assert_response :success
|
|
end
|
|
end
|
|
|
|
context "privacy_policy action" do
|
|
should "work" do
|
|
get privacy_policy_path
|
|
assert_response :success
|
|
end
|
|
end
|
|
|
|
context "not_found action" do
|
|
should "return the 404 page for GET requests" do
|
|
get "/qwoiqogieqg"
|
|
assert_response 404
|
|
end
|
|
|
|
should "return the 404 page for POST requests" do
|
|
post "/qwoiqogieqg"
|
|
assert_response 404
|
|
end
|
|
|
|
should "return a JSON response for a 404'd JSON request" do
|
|
get "/qwoiqogieqg", as: :json
|
|
|
|
assert_response 404
|
|
assert_equal("Page not found", response.parsed_body["message"])
|
|
end
|
|
|
|
should "return an XML response for a 404'd XML request" do
|
|
get "/qwoiqogieqg", as: :xml
|
|
|
|
assert_response 404
|
|
assert_equal("Page not found", response.parsed_body.xpath("result/message").text)
|
|
end
|
|
|
|
should "render the 404 page when page_not_found_pool_id is configured" do
|
|
as(create(:user)) do
|
|
@post = create(:post, tag_string: "artist:bkub")
|
|
@pool = create(:pool, post_ids: [@post.id])
|
|
Danbooru.config.stubs(:page_not_found_pool_id).returns(@pool.id)
|
|
end
|
|
|
|
get "/qwoiqogieqg"
|
|
|
|
assert_response 404
|
|
assert_select "#c-static #a-not-found img", count: 1
|
|
end
|
|
end
|
|
|
|
context "bookmarklet action" do
|
|
should "work" do
|
|
get bookmarklet_path
|
|
assert_response :success
|
|
end
|
|
end
|
|
|
|
context "contact action" do
|
|
should "work" do
|
|
create(:owner_user)
|
|
|
|
get contact_path
|
|
assert_response :success
|
|
end
|
|
end
|
|
|
|
context "keyboard_shortcuts action" do
|
|
should "work" do
|
|
get keyboard_shortcuts_path
|
|
assert_response :success
|
|
end
|
|
end
|
|
|
|
context "opensearch action" do
|
|
should "work" do
|
|
get opensearch_path, as: :xml
|
|
assert_response :success
|
|
end
|
|
end
|
|
end
|