e98ae4b5-e123-4c92-ac1a-3395947ae8fe

Committed 20 May 2026 10:23PM UTC coverage: 82.236% (-13.3%) from 95.582%

Build # e98ae4b5-e123-4c92-ac1a-3395947ae8fe

Build Type

push

circleci

Committed by

web-flow

Commit Message

Add cooldown to dependabot (#5915)

This matches the other DACS projects

Coverage Stats

5472 of 6654 relevant lines covered (82.24%)

1134.65 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

68.75

/lib/orangelight/middleware/invalid_parameter_handler.rb

# frozen_string_literal: true

# If the user enters a url that has invalid parameters
# this middleware will return a 400 status
# and the load balancer will display its own error page

module Orangelight
  module Middleware
    class InvalidParameterHandler
      def initialize(app)
        @app = app
      end

      def call(env)
        validate_for!(env)
        @app.call(env)
      rescue ActionController::BadRequest => bad_request_error
        raise bad_request_error if raise_error?(bad_request_error.message)

        Rails.logger.error "Invalid parameters passed in the request: #{bad_request_error} within the environment #{@request.inspect}"
        bad_request_response(env)
      end

      private

        def bad_request_body
          'Bad Request'
        end

        def bad_request_headers(env)
          {
            'Content-Type' => "#{request_content_type(env)}; charset=#{default_charset}",
            'Content-Length' => bad_request_body.bytesize.to_s
          }
        end

        def bad_request_response(env)
          [
            bad_request_status,
            bad_request_headers(env),
            [bad_request_body]
          ]
        end

        def bad_request_status
          400
        end

        def default_charset
          ActionDispatch::Response.default_charset
        end

        def default_content_type
          'text/html'
        end

        # Check if facet fields have empty value lists
        def facet_fields_values(params)
          facet_parameter = params.fetch(:f, [])
          raise ActionController::BadRequest, "Invalid facet parameter passed: #{facet_parameter}" unless facet_parameter.is_a?(Array) || facet_parameter.is_a?(Hash)

          facet_parameter.collect do |facet_field, value_list|
            raise ActionController::BadRequest, "Facet field #{facet_field} has a scalar value #{value_list}" if value_list.is_a?(String)

            next unless value_list.nil?
            raise ActionController::BadRequest, "Facet field #{facet_field} has a nil value"
          end
        end

        # Check if params have key with leading or trailing whitespaces
        def check_for_white_spaces(params)
          params.each_key do |k|
            next unless ((k[0].match?(/\s/) || k[-1].match?(/\s/)) && (k.is_a? String)) == true
            raise ActionController::BadRequest, "Param '#{k}' contains a space"
          end
        end

        ##
        # Previously, we were rescuing only from exceptions we recognized.
        # The problem with that is that there will be exceptions we don't recognize and
        # haven't been able to diagnose (see, e.g., https://github.com/pulibrary/orangelight/issues/1455)
        # and when those happen we want to provide the user with a graceful way forward,
        # not just an error screen. Therefore, we should rescue all errors, log the problem,
        # and redirect the user somewhere helpful.
        def raise_error?(_message)
          false
        end

        def request_content_type(env)
          request = request_for(env)
          request.formats.first || default_content_type
        end

        def request_for(env)
          ActionDispatch::Request.new(env.dup)
        end

        def valid_message_patterns
          [
            /invalid %-encoding/,
            /Facet field/,
            /Invalid facet/,
            /contains a space/
          ]
        end

        def validate_for!(env)
          # calling request.params is sufficient to trigger an error
          # see https://github.com/rack/rack/issues/337#issuecomment-46453404
          params = request_for(env).params
          check_for_white_spaces(params)
          facet_fields_values(params)
        end
    end
  end
end

1	# frozen_string_literal: true
2
3	# If the user enters a url that has invalid parameters
4	# this middleware will return a 400 status
5	# and the load balancer will display its own error page
6
7	module Orangelight	1✔
8	module Middleware	1✔
9	class InvalidParameterHandler	1✔
10	def initialize(app)	1✔
11	@app = app	1✔
12	end
13
14	def call(env)	1✔
15	validate_for!(env)	121✔
16	@app.call(env)	121✔
17	rescue ActionController::BadRequest => bad_request_error
18	raise bad_request_error if raise_error?(bad_request_error.message)	×
19
20	Rails.logger.error "Invalid parameters passed in the request: #{bad_request_error} within the environment #{@request.inspect}"	×
21	bad_request_response(env)	×
22	end
23
24	private	1✔
25
26	def bad_request_body	1✔
27	'Bad Request'	×
28	end
29
30	def bad_request_headers(env)	1✔
31	{
32	'Content-Type' => "#{request_content_type(env)}; charset=#{default_charset}",	×
33	'Content-Length' => bad_request_body.bytesize.to_s
34	}
35	end
36
37	def bad_request_response(env)	1✔
38	[
39	bad_request_status,	×
40	bad_request_headers(env),
41	[bad_request_body]
42	]
43	end
44
45	def bad_request_status	1✔
46	400	×
47	end
48
49	def default_charset	1✔
50	ActionDispatch::Response.default_charset	×
51	end
52
53	def default_content_type	1✔
54	'text/html'	×
55	end
56
57	# Check if facet fields have empty value lists
58	def facet_fields_values(params)	1✔
59	facet_parameter = params.fetch(:f, [])	121✔
60	raise ActionController::BadRequest, "Invalid facet parameter passed: #{facet_parameter}" unless facet_parameter.is_a?(Array) \|\| facet_parameter.is_a?(Hash)	121✔
61
62	facet_parameter.collect do \|facet_field, value_list\|	121✔
63	raise ActionController::BadRequest, "Facet field #{facet_field} has a scalar value #{value_list}" if value_list.is_a?(String)	7✔
64
65	next unless value_list.nil?	7✔
66	raise ActionController::BadRequest, "Facet field #{facet_field} has a nil value"	×
67	end
68	end
69
70	# Check if params have key with leading or trailing whitespaces
71	def check_for_white_spaces(params)	1✔
72	params.each_key do \|k\|	121✔
73	next unless ((k[0].match?(/\s/) \|\| k[-1].match?(/\s/)) && (k.is_a? String)) == true	149✔
74	raise ActionController::BadRequest, "Param '#{k}' contains a space"	×
75	end
76	end
77
78	##
79	# Previously, we were rescuing only from exceptions we recognized.
80	# The problem with that is that there will be exceptions we don't recognize and
81	# haven't been able to diagnose (see, e.g., https://github.com/pulibrary/orangelight/issues/1455)
82	# and when those happen we want to provide the user with a graceful way forward,
83	# not just an error screen. Therefore, we should rescue all errors, log the problem,
84	# and redirect the user somewhere helpful.
85	def raise_error?(_message)	1✔
86	false	×
87	end
88
89	def request_content_type(env)	1✔
90	request = request_for(env)	×
91	request.formats.first \|\| default_content_type	×
92	end
93
94	def request_for(env)	1✔
95	ActionDispatch::Request.new(env.dup)	121✔
96	end
97
98	def valid_message_patterns	1✔
99	[	×
100	/invalid %-encoding/,
101	/Facet field/,
102	/Invalid facet/,
103	/contains a space/
104	]
105	end
106
107	def validate_for!(env)	1✔
108	# calling request.params is sufficient to trigger an error
109	# see https://github.com/rack/rack/issues/337#issuecomment-46453404
110	params = request_for(env).params	121✔
111	check_for_white_spaces(params)	121✔
112	facet_fields_values(params)	121✔
113	end
114	end
115	end
116	end

pulibrary / orangelight / e98ae4b5-e123-4c92-ac1a-3395947ae8fe

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous