Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scrub body_data / data params too (e.g. POSTed JSON) #3

Merged
merged 8 commits into from
Sep 18, 2023
Merged

Scrub body_data / data params too (e.g. POSTed JSON) #3

merged 8 commits into from
Sep 18, 2023

Conversation

bigpresh
Copy link
Owner

@bigpresh bigpresh commented Aug 11, 2023
edited
Loading

If we have $c->req->body_data - for e.g. the request was a POST with a JSON body which Catalyst has decoded into $c->req->body_data - then scrub HTML in there too (but applying the same ignore_params checks so that you can exempt certain JSON body params from scrubbing).

Also, if we have $c->req->data added by the role Catalyst::TraitFor::Request::REST which Catalyst::Action::REST / Catalyst::Controller::REST apply to Catalyst::Request to provide RESTful API tools, we need to scrub that too.

Also moved the ignore_params tests into t/03_params.t, and added the tests for this new feature there too - don't need so many individual test apps, when most features can be tested with a single test app.

A new test script and associated test app was added for the tests for scrubbing $c->req->data though, as they depend on Catalyst::Controller::REST being available.

There is a slightly ugly bit of monkey-patching to handle an issue that causes JSON parsing via the default handler for application/json to fail if the body content filehandle has already been read - that's the fix I submitted in PR perl-catalyst/catalyst-runtime/pull/186 but fixed via monkey-patching in the meantime.

@bigpresh bigpresh force-pushed the bigpresh/scrub_deserialised_body_data_params branch from 2f85e05 to 91dbba8 Compare August 11, 2023 10:18
@bigpresh bigpresh changed the title Scrub body_data params too (e.g. POSTed JSON) Scrub body_data / data params too (e.g. POSTed JSON) Sep 14, 2023
@bigpresh bigpresh force-pushed the bigpresh/scrub_deserialised_body_data_params branch 2 times, most recently from 96bdee9 to 069310c Compare September 14, 2023 21:49
@bigpresh
Scrub body_data params too (e.g. POSTed JSON)
cffe04c 
If we have `$c->req->body_data` - for e.g. the request was a POST with
a JSON body which Catalyst has decoded into `$c->req->body_data` - then
scrub HTML in there too (but applying the same `ignore_params` checks so
that you can exempt certain JSON body params from scrubbing).

Also moved the ignore_params tests into t/03_params.t, and added the
tests for this new feature there too - don't need so many individual
test apps, when most features can be tested with a single test app.
@bigpresh
Compare request statuses more usefully
00393c8 
Use `is()` not `ok()` so that, if the request status is *not* what we
expect, we get to see what it actually was.
@bigpresh
Support scrubbing $c->req->data from C::Action::REST
2b6ea03 
If Catalyst::Action::REST / Catalyst::Controller::REST is in use, the
request object will have a `data()` method for deserialised data as added by
the Catalyst::TraitFor::Request::REST role which ought to be scrubbed too.

To support this,

(a) the scrubbing needs to happen later in the request flow - now
    `hooking dispatch()` instead of `prepare_parameters()`
(b) to avoid the data not being read if the request body had already
    been read by `$c->req->body_data`, the fix in this PR is needed:
    perl-catalyst/catalyst-runtime/pull/186
    Until such time, dirtily monkey-patch the `seek()` in.
@bigpresh
Trigger on execute() instead.
222e5d5 
This seems to be the right time to go scrubbing, without the scrubbed
data getting accidentally clobbered, and/or happening too late.
@bigpresh bigpresh force-pushed the bigpresh/scrub_deserialised_body_data_params branch from dfd74f9 to 222e5d5 Compare September 18, 2023 13:50
@bigpresh
Catalyst needs to be loaded for us to load.
c464756 
Our monkey-patch pokes at Catalyst, so Catalyst needs to be loaded
first.

In the usual way of loading the plugin, e.g. listing the plugins you
want on the `use Catalyst` line, that's fine, but here we're testing
just that the plugin compiles, so we will need to load Catalyst first.
@bigpresh
Avoid sub redefined warnings.
5bd94a6 
Yes, we're redefining a sub, intentionally, to monkey-patch, so silence
that warning.
@bigpresh
Remove extra debuggery.
d008d5e
@bigpresh
Blank line to make PkgVersion stop complaining
4330290
@bigpresh bigpresh merged commit a8b7b5e into master Sep 18, 2023
@bigpresh bigpresh mentioned this pull request Sep 19, 2023
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@bigpresh