From 71fce71c94b1e94ae3a7af17bfc141709b61c428 Mon Sep 17 00:00:00 2001
From: ThibG <thib@sitedethib.com>
Date: Thu, 14 May 2020 23:28:06 +0200
Subject: [PATCH] Fix webfinger returning wrong status code on malformed or
 missing param (#13759)

Fixes #13757
---
 app/controllers/well_known/webfinger_controller.rb   |  7 ++++++-
 app/lib/webfinger_resource.rb                        |  4 +++-
 .../well_known/webfinger_controller_spec.rb          | 10 ++++++++++
 spec/lib/webfinger_resource_spec.rb                  | 12 +++++++++++-
 4 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/app/controllers/well_known/webfinger_controller.rb b/app/controllers/well_known/webfinger_controller.rb
index 480e58f3f0..9de9db6ba8 100644
--- a/app/controllers/well_known/webfinger_controller.rb
+++ b/app/controllers/well_known/webfinger_controller.rb
@@ -8,7 +8,8 @@ module WellKnown
     before_action :set_account
     before_action :check_account_suspension
 
-    rescue_from ActiveRecord::RecordNotFound, ActionController::ParameterMissing, with: :not_found
+    rescue_from ActiveRecord::RecordNotFound, with: :not_found
+    rescue_from ActionController::ParameterMissing, WebfingerResource::InvalidRequest, with: :bad_request
 
     def show
       expires_in 3.days, public: true
@@ -37,6 +38,10 @@ module WellKnown
       expires_in(3.minutes, public: true) && gone if @account.suspended?
     end
 
+    def bad_request
+      head 400
+    end
+
     def not_found
       head 404
     end
diff --git a/app/lib/webfinger_resource.rb b/app/lib/webfinger_resource.rb
index 22d78874a4..4209454859 100644
--- a/app/lib/webfinger_resource.rb
+++ b/app/lib/webfinger_resource.rb
@@ -3,6 +3,8 @@
 class WebfingerResource
   attr_reader :resource
 
+  class InvalidRequest < StandardError; end
+
   def initialize(resource)
     @resource = resource
   end
@@ -14,7 +16,7 @@ class WebfingerResource
     when /\@/
       username_from_acct
     else
-      raise(ActiveRecord::RecordNotFound)
+      raise InvalidRequest
     end
   end
 
diff --git a/spec/controllers/well_known/webfinger_controller_spec.rb b/spec/controllers/well_known/webfinger_controller_spec.rb
index 20275aa63b..46f63185b9 100644
--- a/spec/controllers/well_known/webfinger_controller_spec.rb
+++ b/spec/controllers/well_known/webfinger_controller_spec.rb
@@ -84,5 +84,15 @@ PEM
 
       expect(response).to have_http_status(:not_found)
     end
+
+    it 'returns http bad request when not given a resource parameter' do
+      get :show, params: { }, format: :json
+      expect(response).to have_http_status(:bad_request)
+    end
+
+    it 'returns http bad request when given a nonsense parameter' do
+      get :show, params: { resource: 'df/:dfkj' }
+      expect(response).to have_http_status(:bad_request)
+    end
   end
 end
diff --git a/spec/lib/webfinger_resource_spec.rb b/spec/lib/webfinger_resource_spec.rb
index 287537a261..236e9f3e2d 100644
--- a/spec/lib/webfinger_resource_spec.rb
+++ b/spec/lib/webfinger_resource_spec.rb
@@ -39,7 +39,7 @@ describe WebfingerResource do
 
         expect {
           WebfingerResource.new(resource).username
-        }.to raise_error(ActiveRecord::RecordNotFound)
+        }.to raise_error(WebfingerResource::InvalidRequest)
       end
 
       it 'finds the username in a valid https route' do
@@ -123,5 +123,15 @@ describe WebfingerResource do
         expect(result).to eq 'alice'
       end
     end
+
+    describe 'with a nonsense resource' do
+      it 'raises InvalidRequest' do
+        resource = 'df/:dfkj'
+
+        expect {
+          WebfingerResource.new(resource).username
+        }.to raise_error(WebfingerResource::InvalidRequest)
+      end
+    end
   end
 end
-- 
GitLab