Skip to content
This repository has been archived by the owner on Oct 19, 2018. It is now read-only.

remove controller from params before printing error in ServerOp #18

Open
catmando opened this issue Mar 6, 2018 · 0 comments
Open

remove controller from params before printing error in ServerOp #18

catmando opened this issue Mar 6, 2018 · 0 comments

Comments

@catmando
Copy link
Contributor

catmando commented Mar 6, 2018

otherwise on exeptions the rails log has too much spam.

add delete(:controller) to the two rescues...

module Hyperloop
  class ServerOp < Operation

    class << self

      def run_from_client(security_param, controller, operation, params)
        if Rails.env.production?
          # in production everything is eager loaded so ServerOp.descendants is filled and can be used to guard the .constantize
          Hyperloop::InternalPolicy.raise_operation_access_violation unless Hyperloop::ServerOp.descendants_map_cache.include?(operation)
          # however ...
        else
          # ... in development things are autoloaded on demand, thus ServerOp.descendants can be empty or partially filled and above guard
          # would fail legal operations. To prevent this, the class has to be loaded first, what .const_get will take care of, and then
          # its guarded, to achieve similar behaviour as in production. Doing the const_get first, before the guard,
          # would not be safe for production and allow for potential remote code execution!
          begin
            const = Object.const_get(operation)
          rescue NameError
            Hyperloop::InternalPolicy.raise_operation_access_violation
          end
          Hyperloop::InternalPolicy.raise_operation_access_violation unless const < Hyperloop::ServerOp
        end
        operation.constantize.class_eval do
          if _Railway.params_wrapper.method_defined?(:controller)
            params[:controller] = controller
          elsif !_Railway.params_wrapper.method_defined?(security_param)
            raise AccessViolation
          end
          run(deserialize_params(params))
          .then { |r| return { json: { response: serialize_response(r) } } }
          .fail do |e|
            params.delete(:controller)  # <-------------------------------------------------------
            ::Rails.logger.debug "\033[0;31;1mERROR: Hyperloop::ServerOp failed when running #{operation} with params \"#{params}\": #{e}\033[0;30;21m"
            return { json: { error: e }, status: 500 }
          end
        end
      rescue Exception => e
        params.delete(:controller)  # <-------------------------------------------------------
        ::Rails.logger.debug "\033[0;31;1mERROR: Hyperloop::ServerOp exception caught when running #{operation} with params \"#{params}\": #{e}\033[0;30;21m"
        { json: { error: e }, status: 500 }
      end
catmando added a commit that referenced this issue Mar 6, 2018
@catmando
closes #18
c8dab00
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@catmando