e37798a3-1e41-4888-b59a-d239d1cb14a6

Committed 05 May 2026 12:18AM UTC coverage: 83.748% (-11.7%) from 95.406%

Build # e37798a3-1e41-4888-b59a-d239d1cb14a6

Build Type

push

circleci

Committed by

web-flow

Commit Message

Bump axe-core-rspec from 4.11.2 to 4.11.3 (#5848)

Bumps [axe-core-rspec](https://github.com/dequelabs/axe-core-gems) from 4.11.2 to 4.11.3.
- [Release notes](https://github.com/dequelabs/axe-core-gems/releases)
- [Changelog](https://github.com/dequelabs/axe-core-gems/blob/develop/CHANGELOG.md)
- [Commits](https://github.com/dequelabs/axe-core-gems/compare/v4.11.2...v4.11.3)

---
updated-dependencies:
- dependency-name: axe-core-rspec
  dependency-version: 4.11.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Coverage Stats

5560 of 6639 relevant lines covered (83.75%)

82.08 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

93.75

/lib/orangelight/middleware/invalid_parameter_handler.rb

# frozen_string_literal: true

# If the user enters a url that has invalid parameters
# this middleware will return a 400 status
# and the load balancer will display its own error page

module Orangelight
  module Middleware
    class InvalidParameterHandler
      def initialize(app)
        @app = app
      end

      def call(env)
        validate_for!(env)
        @app.call(env)
      rescue ActionController::BadRequest => bad_request_error
        raise bad_request_error if raise_error?(bad_request_error.message)

        Rails.logger.error "Invalid parameters passed in the request: #{bad_request_error} within the environment #{@request.inspect}"
        bad_request_response(env)
      end

      private

        def bad_request_body
          'Bad Request'
        end

        def bad_request_headers(env)
          {
            'Content-Type' => "#{request_content_type(env)}; charset=#{default_charset}",
            'Content-Length' => bad_request_body.bytesize.to_s
          }
        end

        def bad_request_response(env)
          [
            bad_request_status,
            bad_request_headers(env),
            [bad_request_body]
          ]
        end

        def bad_request_status
          400
        end

        def default_charset
          ActionDispatch::Response.default_charset
        end

        def default_content_type
          'text/html'
        end

        # Check if facet fields have empty value lists
        def facet_fields_values(params)
          facet_parameter = params.fetch(:f, [])
          raise ActionController::BadRequest, "Invalid facet parameter passed: #{facet_parameter}" unless facet_parameter.is_a?(Array) || facet_parameter.is_a?(Hash)

          facet_parameter.collect do |facet_field, value_list|
            raise ActionController::BadRequest, "Facet field #{facet_field} has a scalar value #{value_list}" if value_list.is_a?(String)

            next unless value_list.nil?
            raise ActionController::BadRequest, "Facet field #{facet_field} has a nil value"
          end
        end

        # Check if params have key with leading or trailing whitespaces
        def check_for_white_spaces(params)
          params.each_key do |k|
            next unless ((k[0].match?(/\s/) || k[-1].match?(/\s/)) && (k.is_a? String)) == true
            raise ActionController::BadRequest, "Param '#{k}' contains a space"
          end
        end

        ##
        # Previously, we were rescuing only from exceptions we recognized.
        # The problem with that is that there will be exceptions we don't recognize and
        # haven't been able to diagnose (see, e.g., https://github.com/pulibrary/orangelight/issues/1455)
        # and when those happen we want to provide the user with a graceful way forward,
        # not just an error screen. Therefore, we should rescue all errors, log the problem,
        # and redirect the user somewhere helpful.
        def raise_error?(_message)
          false
        end

        def request_content_type(env)
          request = request_for(env)
          request.formats.first || default_content_type
        end

        def request_for(env)
          ActionDispatch::Request.new(env.dup)
        end

        def valid_message_patterns
          [
            /invalid %-encoding/,
            /Facet field/,
            /Invalid facet/,
            /contains a space/
          ]
        end

        def validate_for!(env)
          # calling request.params is sufficient to trigger an error
          # see https://github.com/rack/rack/issues/337#issuecomment-46453404
          params = request_for(env).params
          check_for_white_spaces(params)
          facet_fields_values(params)
        end
    end
  end
end

1	# frozen_string_literal: true
2
3	# If the user enters a url that has invalid parameters
4	# this middleware will return a 400 status
5	# and the load balancer will display its own error page
6
7	module Orangelight	1✔
8	module Middleware	1✔
9	class InvalidParameterHandler	1✔
10	def initialize(app)	1✔
11	@app = app	1✔
12	end
13
14	def call(env)	1✔
15	validate_for!(env)	241✔
16	@app.call(env)	238✔
17	rescue ActionController::BadRequest => bad_request_error
18	raise bad_request_error if raise_error?(bad_request_error.message)	3✔
19
20	Rails.logger.error "Invalid parameters passed in the request: #{bad_request_error} within the environment #{@request.inspect}"	3✔
21	bad_request_response(env)	3✔
22	end
23
24	private	1✔
25
26	def bad_request_body	1✔
27	'Bad Request'	6✔
28	end
29
30	def bad_request_headers(env)	1✔
31	{
32	'Content-Type' => "#{request_content_type(env)}; charset=#{default_charset}",	3✔
33	'Content-Length' => bad_request_body.bytesize.to_s
34	}
35	end
36
37	def bad_request_response(env)	1✔
38	[
39	bad_request_status,	3✔
40	bad_request_headers(env),
41	[bad_request_body]
42	]
43	end
44
45	def bad_request_status	1✔
46	400	3✔
47	end
48
49	def default_charset	1✔
50	ActionDispatch::Response.default_charset	3✔
51	end
52
53	def default_content_type	1✔
54	'text/html'	×
55	end
56
57	# Check if facet fields have empty value lists
58	def facet_fields_values(params)	1✔
59	facet_parameter = params.fetch(:f, [])	240✔
60	raise ActionController::BadRequest, "Invalid facet parameter passed: #{facet_parameter}" unless facet_parameter.is_a?(Array) \|\| facet_parameter.is_a?(Hash)	240✔
61
62	facet_parameter.collect do \|facet_field, value_list\|	239✔
63	raise ActionController::BadRequest, "Facet field #{facet_field} has a scalar value #{value_list}" if value_list.is_a?(String)	19✔
64
65	next unless value_list.nil?	18✔
66	raise ActionController::BadRequest, "Facet field #{facet_field} has a nil value"	×
67	end
68	end
69
70	# Check if params have key with leading or trailing whitespaces
71	def check_for_white_spaces(params)	1✔
72	params.each_key do \|k\|	241✔
73	next unless ((k[0].match?(/\s/) \|\| k[-1].match?(/\s/)) && (k.is_a? String)) == true	340✔
74	raise ActionController::BadRequest, "Param '#{k}' contains a space"	1✔
75	end
76	end
77
78	##
79	# Previously, we were rescuing only from exceptions we recognized.
80	# The problem with that is that there will be exceptions we don't recognize and
81	# haven't been able to diagnose (see, e.g., https://github.com/pulibrary/orangelight/issues/1455)
82	# and when those happen we want to provide the user with a graceful way forward,
83	# not just an error screen. Therefore, we should rescue all errors, log the problem,
84	# and redirect the user somewhere helpful.
85	def raise_error?(_message)	1✔
86	false	3✔
87	end
88
89	def request_content_type(env)	1✔
90	request = request_for(env)	3✔
91	request.formats.first \|\| default_content_type	3✔
92	end
93
94	def request_for(env)	1✔
95	ActionDispatch::Request.new(env.dup)	244✔
96	end
97
98	def valid_message_patterns	1✔
99	[	×
100	/invalid %-encoding/,
101	/Facet field/,
102	/Invalid facet/,
103	/contains a space/
104	]
105	end
106
107	def validate_for!(env)	1✔
108	# calling request.params is sufficient to trigger an error
109	# see https://github.com/rack/rack/issues/337#issuecomment-46453404
110	params = request_for(env).params	241✔
111	check_for_white_spaces(params)	241✔
112	facet_fields_values(params)	240✔
113	end
114	end
115	end
116	end

pulibrary / orangelight / e37798a3-1e41-4888-b59a-d239d1cb14a6

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous