Merge pull request rails#55319 from cmitz/fix_param_encoding_errors

byroot · web-flow · commit 8f42c2b4a1a1 · 2025-07-11T09:29:32.000+02:00
Fix errors when querystring keys have invalid encoding
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
@@ -1,3 +1,7 @@
+*   Always check query string keys for valid encoding just like values are checked.
+
+    *Casper Smits*
+
 *   Always return empty body for HEAD requests in `PublicExceptions` and
     `DebugExceptions`.
 
diff --git a/actionpack/lib/action_dispatch/http/param_builder.rb b/actionpack/lib/action_dispatch/http/param_builder.rb
@@ -111,6 +111,10 @@ def store_nested_param(params, name, v, depth, encoding_template = nil)
 
         return if k.empty?
 
+        unless k.valid_encoding?
+          raise InvalidParameterError, "Invalid encoding for parameter: #{k}"
+        end
+
         if depth == 0 && String === v
           # We have to wait until we've found the top part of the name,
           # because that's what the encoding template is configured with
diff --git a/actionpack/test/dispatch/request_test.rb b/actionpack/test/dispatch/request_test.rb
@@ -1121,6 +1121,11 @@ class RequestParameters < BaseRequestTest
     assert_raises(ActionController::BadRequest) { request.parameters }
   end
 
+  test "parameters key containing an invalid UTF8 character" do
+    request = stub_request("QUERY_STRING" => "%81E=bar")
+    assert_raises(ActionController::BadRequest) { request.parameters }
+  end
+
   test "parameters containing a deeply nested invalid UTF8 character" do
     request = stub_request("QUERY_STRING" => "foo[bar]=%81E")
     assert_raises(ActionController::BadRequest) { request.parameters }
