req.params may throw EOFError

[gingerlime]

This is more of a question / advice on protecting against some types of malformed requests.

We currently have simple simple block

Rack::Attack.blocklist("Block requests with invalid params") do |req|
  begin
    req.params  # just testing that params are valid
    false
  rescue Rack::QueryParser::InvalidParameterError
    true
  end
end

This works great for requests like curl -D - --data 'email=xTremx%%72900' localhost:3000/en/login for example.

However, there is another type of malformed requests that causes Rack to throw an EOFError (or soon EmptyContentError). e.g. curl -D - --header 'Content-Type:multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS' localhost:3000/en/login

I know I can also rescue from EOFError. However, if I don't have this block, Rails seems to handle the malformed request fine somehow. I can even access params[:xyz] inside the controller for example. I'm wondering if there's a better/different way to check the request without catching a bunch of specific/less-specific exceptions?

[i7an]

I reckon if you want to keep the RoR's behavior you have to replicate it yourself:

# @see ActionDispatch::Http::Parameters#parameters
params =
  begin
    req.params
  rescue EOFError
    req.GET
  end

[gingerlime]

Thank you. We ended up with a slightly different solution eventually. See below.

[gingerlime]

Apologies for not replying, and it's been a while so my memory is fuzzy, but if I recall, what we ended up doing was catching EOFError but then returning false inside the blocklist. This would pass the request to Rails, which would handle it ok.