Handling relative paths with extra URI parts.

gabriel-amaral · gabriel-amaral · commit b8e4640d7262 · 2024-03-07T19:44:32.000Z
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -637,16 +637,22 @@ def normalize_action_path(action_path) # :doc:
         uri = URI.parse(action_path)
 
         if uri.relative? && (action_path.blank? || !action_path.start_with?("/"))
-          uri = URI.parse(request.path)
-          # add the action path to the request.path
-          uri.path += "/#{action_path}"
-          # relative path with "./path"
-          uri.path.gsub!("/./", "/")
+          return normalize_relative_action_path(uri.path)
         end
 
         uri.path.chomp("/")
       end
 
+      def normalize_relative_action_path(rel_action_path) # :doc:
+        uri = URI.parse(request.path)
+        # add the action path to the request.path
+        uri.path += "/#{rel_action_path}"
+        # relative path with "./path"
+        uri.path.gsub!("/./", "/")
+
+        uri.path.chomp("/")
+      end
+
       def generate_csrf_token # :nodoc:
         SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
       end
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -1151,6 +1151,32 @@ def test_handles_relative_paths_with_dot
     assert_response :success
   end
 
+  def test_handles_query_string
+    get :index, params: { form_path: "./post_one?a=b" }
+
+    form_token = assert_presence_and_fetch_form_csrf_token
+
+    # This is required because PATH_INFO isn't reset between requests.
+    @request.env["PATH_INFO"] = "/per_form_tokens/post_one"
+    assert_nothing_raised do
+      post :post_one, params: { custom_authenticity_token: form_token }
+    end
+    assert_response :success
+  end
+
+  def test_handles_fragment
+    get :index, params: { form_path: "./post_one#a" }
+
+    form_token = assert_presence_and_fetch_form_csrf_token
+
+    # This is required because PATH_INFO isn't reset between requests.
+    @request.env["PATH_INFO"] = "/per_form_tokens/post_one"
+    assert_nothing_raised do
+      post :post_one, params: { custom_authenticity_token: form_token }
+    end
+    assert_response :success
+  end
+
   def test_ignores_origin_during_generation
     get :index, params: { form_path: "https://example.com/per_form_tokens/post_one/" }
 
