Merge pull request #202 from internetee/fix/whois-invalid-encoding-crash

vohmar · web-flow · commit 97aae11b8ed2 · 2025-10-24T10:16:50.000+03:00
Fix JSON serialization crash on invalid UTF-8 input
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -23,7 +23,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-24.04]
-        ruby: ['3.4.4']
+        ruby: ['3.4.5']
     runs-on: ${{ matrix.os }}
     env:
       PG_DATABASE: postgres
diff --git a/.gitignore b/.gitignore
@@ -29,3 +29,8 @@ config/deploy.rb
 
 # unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
 .rvmrc
+.DS_Store
+app/.DS_Store
+test/.DS_Store
+.bash_history
+.claude
diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-3.4.4
+3.4.5
diff --git a/Gemfile b/Gemfile
@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-ruby '3.4.4'
+ruby '3.4.5'
 
 # core
 gem 'eventmachine', '~> 1.2.7'
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -19,56 +19,58 @@ GEM
       minitest (>= 5.1)
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
-    ast (2.4.2)
+    ast (2.4.3)
     base64 (0.3.0)
     benchmark (0.4.1)
-    bigdecimal (3.2.2)
+    bigdecimal (3.3.1)
     coderay (1.1.3)
     concurrent-ruby (1.3.5)
-    connection_pool (2.5.3)
+    connection_pool (2.5.4)
     daemons (1.4.1)
     docile (1.4.1)
     dotenv (3.1.8)
     drb (2.2.3)
     eventmachine (1.2.7)
     i18n (1.14.7)
       concurrent-ruby (~> 1.0)
-    json (2.10.2)
-    language_server-protocol (3.17.0.4)
+    json (2.15.1)
+    language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
     logger (1.7.0)
     method_source (1.1.0)
     mina (1.2.5)
       rake
-    minitest (5.25.5)
+    minitest (5.26.0)
     mocha (2.7.1)
       ruby2_keywords (>= 0.0.5)
     ostruct (0.6.3)
-    parallel (1.26.3)
-    parser (3.3.7.1)
+    parallel (1.27.0)
+    parser (3.3.9.0)
       ast (~> 2.4.1)
       racc
     pg (1.5.9)
+    prism (1.6.0)
     pry (0.15.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
     racc (1.8.1)
     rainbow (3.1.1)
-    rake (13.2.1)
-    regexp_parser (2.10.0)
-    rubocop (1.73.2)
+    rake (13.3.0)
+    regexp_parser (2.11.3)
+    rubocop (1.81.1)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
       parallel (~> 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.38.0, < 2.0)
+      rubocop-ast (>= 1.47.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.38.1)
-      parser (>= 3.3.1.0)
+    rubocop-ast (1.47.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     securerandom (0.4.1)
@@ -81,9 +83,9 @@ GEM
     timeout (0.4.3)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (3.1.4)
-      unicode-emoji (~> 4.0, >= 4.0.4)
-    unicode-emoji (4.0.4)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
 
 PLATFORMS
   aarch64-linux
@@ -105,7 +107,7 @@ DEPENDENCIES
   simpleidn (~> 0.2.1)
 
 RUBY VERSION
-   ruby 3.4.4p34
+   ruby 3.4.5p51
 
 BUNDLED WITH
    2.6.9
diff --git a/app/validators/unicode_validator.rb b/app/validators/unicode_validator.rb
@@ -22,7 +22,7 @@ def valid?
   private
 
   def valid_utf8_encoding?(string)
-    string.force_encoding(UTF8_ENCODING).valid_encoding?
+    string.dup.force_encoding(UTF8_ENCODING).valid_encoding?
   end
 
   def prepare_string(input)
diff --git a/lib/logging.rb b/lib/logging.rb
@@ -12,11 +12,28 @@ def logger
 
   def log_json(payload)
     base_log = build_base_log(payload)
-    logger.info(base_log.to_json)
+    safe_log = sanitize_for_json(base_log)
+    logger.info(safe_log.to_json)
+  rescue JSON::GeneratorError, Encoding::UndefinedConversionError => e
+    logger.error("[ERROR] JSON serialization failed: #{e.class} - #{e.message}")
+    logger.error("[CONTEXT] Original payload: #{payload.inspect}")
   end
 
   private
 
+  def sanitize_for_json(value)
+    case value
+    when String
+      value.dup.encode('UTF-8', invalid: :replace, undef: :replace, replace: '�').scrub('�')
+    when Array
+      value.map { |item| sanitize_for_json(item) }
+    when Hash
+      value.transform_values { |item| sanitize_for_json(item) }
+    else
+      value
+    end
+  end
+
   # rubocop:disable Metrics/MethodLength
   def build_base_log(payload)
     {
diff --git a/lib/whois_server.rb b/lib/whois_server.rb
@@ -81,7 +81,15 @@ def invalid_data?(data, ip)
 
   def process_whois_request(data, ip)
     cleaned_data = data.strip
-    name = SimpleIDN.to_unicode(cleaned_data.downcase)
+    utf8_data = cleaned_data.force_encoding('UTF-8')
+
+    unless utf8_data.valid_encoding?
+      log_invalid_encoding(ip, data)
+      send_data(invalid_encoding_msg)
+      return
+    end
+
+    name = SimpleIDN.to_unicode(utf8_data.downcase)
     unless domain_valid_format?(name)
       log_policy_error(ip, cleaned_data, name)
       send_data(policy_error_msg)
