Skip to content
This repository was archived by the owner on Oct 19, 2018. It is now read-only.
This repository was archived by the owner on Oct 19, 2018. It is now read-only.

remove controller from params before printing error in ServerOp #18

Open
Open
remove controller from params before printing error in ServerOp#18
@catmando

Description

@catmando
catmando
opened on Mar 6, 2018

otherwise on exeptions the rails log has too much spam.

add delete(:controller) to the two rescues...

module Hyperloop
  class ServerOp < Operation

    class << self

      def run_from_client(security_param, controller, operation, params)
        if Rails.env.production?
          # in production everything is eager loaded so ServerOp.descendants is filled and can be used to guard the .constantize
          Hyperloop::InternalPolicy.raise_operation_access_violation unless Hyperloop::ServerOp.descendants_map_cache.include?(operation)
          # however ...
        else
          # ... in development things are autoloaded on demand, thus ServerOp.descendants can be empty or partially filled and above guard
          # would fail legal operations. To prevent this, the class has to be loaded first, what .const_get will take care of, and then
          # its guarded, to achieve similar behaviour as in production. Doing the const_get first, before the guard,
          # would not be safe for production and allow for potential remote code execution!
          begin
            const = Object.const_get(operation)
          rescue NameError
            Hyperloop::InternalPolicy.raise_operation_access_violation
          end
          Hyperloop::InternalPolicy.raise_operation_access_violation unless const < Hyperloop::ServerOp
        end
        operation.constantize.class_eval do
          if _Railway.params_wrapper.method_defined?(:controller)
            params[:controller] = controller
          elsif !_Railway.params_wrapper.method_defined?(security_param)
            raise AccessViolation
          end
          run(deserialize_params(params))
          .then { |r| return { json: { response: serialize_response(r) } } }
          .fail do |e|
            params.delete(:controller)  # <-------------------------------------------------------
            ::Rails.logger.debug "\033[0;31;1mERROR: Hyperloop::ServerOp failed when running #{operation} with params \"#{params}\": #{e}\033[0;30;21m"
            return { json: { error: e }, status: 500 }
          end
        end
      rescue Exception => e
        params.delete(:controller)  # <-------------------------------------------------------
        ::Rails.logger.debug "\033[0;31;1mERROR: Hyperloop::ServerOp exception caught when running #{operation} with params \"#{params}\": #{e}\033[0;30;21m"
        { json: { error: e }, status: 500 }
      end

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions