Handle bad URIs when filtering redirects

gmcgibbon · gmcgibbon · commit 61b0a68940fa · 2024-02-23T00:11:24.000-06:00
rails#51131 introduced parameter filtering for redirects. We didn't account for invalid URIs though, and it changes the behaviour of redirect_to to raise URI errors when we try to filter a bad URI. Instead, we should fallback to filtering bad URIs entirely to preserve behaviour.
diff --git a/actionpack/lib/action_dispatch/http/filter_redirect.rb b/actionpack/lib/action_dispatch/http/filter_redirect.rb
@@ -42,6 +42,8 @@ def parameter_filtered_location
           end
         end
         uri.to_s
+      rescue URI::Error
+        FILTERED
       end
     end
   end
diff --git a/actionpack/test/controller/log_subscriber_test.rb b/actionpack/test/controller/log_subscriber_test.rb
@@ -36,6 +36,10 @@ def filterable_redirector_with_params
       redirect_to "http://secret.foo.bar?username=repinel&password=1234"
     end
 
+    def filterable_redirector_bad_uri
+      redirect_to " s:/invalid-string0uri"
+    end
+
     def data_sender
       send_data "cool data", filename: "file.txt"
     end
@@ -296,6 +300,16 @@ def test_filter_redirect_params_by_regexp
     assert_equal "Redirected to http://secret.foo.bar?username=repinel&password=[FILTERED]", logs[1]
   end
 
+  def test_filter_redirect_bad_uri
+    @request.env["action_dispatch.parameter_filter"] = [/pass.+/]
+
+    get :filterable_redirector_bad_uri
+    wait
+
+    assert_equal 3, logs.size
+    assert_equal "Redirected to [FILTERED]", logs[1]
+  end
+
   def test_send_data
     get :data_sender
     wait
