Gracefully handle invalid query parameters for custom fields (#35312).

Patch by Holger Just. git-svn-id: http://svn.redmine.org/redmine/trunk@21012 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-11 15:56:03 +01:00 · 2021-05-28 03:58:01 +00:00
parent 7b2fdc771b
commit 66fc9f463d
5 changed files with 35 additions and 2 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -725,6 +725,13 @@ class ApplicationController < ActionController::Base
    render_error l(:error_query_statement_invalid)
  end

+  def query_error(exception)
+    Rails.logger.debug "#{exception.class.name}: #{exception.message}"
+    Rails.logger.debug "    #{exception.backtrace.join("\n    ")}"
+
+    render_404
+  end
+
  # Renders a 204 response for successful updates or deletions via the API
  def render_api_ok
    render_api_head :no_content
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -29,6 +29,7 @@ class IssuesController < ApplicationController
  accept_api_auth :index, :show, :create, :update, :destroy

  rescue_from Query::StatementInvalid, :with => :query_statement_invalid
+  rescue_from Query::QueryError, :with => :query_error

  helper :journals
  helper :projects
@@ -470,6 +471,11 @@ class IssuesController < ApplicationController

  private

+  def query_error(exception)
+    session.delete(:issue_query)
+    super
+  end
+
  def retrieve_previous_and_next_issue_ids
    if params[:prev_issue_id].present? || params[:next_issue_id].present?
      @prev_issue_id = params[:prev_issue_id].presence.try(:to_i)
--- a/app/controllers/timelog_controller.rb
+++ b/app/controllers/timelog_controller.rb
@@ -32,6 +32,7 @@ class TimelogController < ApplicationController
  accept_api_auth :index, :show, :create, :update, :destroy

  rescue_from Query::StatementInvalid, :with => :query_statement_invalid
+  rescue_from Query::QueryError, :with => :query_error

  helper :issues
  include TimelogHelper
@@ -303,4 +304,9 @@ class TimelogController < ApplicationController
  def retrieve_time_entry_query
    retrieve_query(TimeEntryQuery, false, :defaults => @default_columns_names)
  end
+
+  def query_error(exception)
+    session.delete(:time_entry_query)
+    super
+  end
 end
--- a/app/models/query.rb
+++ b/app/models/query.rb
@@ -239,6 +239,9 @@ class Query < ActiveRecord::Base
  class StatementInvalid < ::ActiveRecord::StatementInvalid
  end

+  class QueryError < StandardError
+  end
+
  include Redmine::SubclassFactory

  VISIBILITY_PRIVATE = 0
@@ -1143,7 +1146,7 @@ class Query < ActiveRecord::Base
      assoc = $1
      customized_key = "#{assoc}_id"
      customized_class = queried_class.reflect_on_association(assoc.to_sym).klass.base_class rescue nil
-      raise "Unknown #{queried_class.name} association #{assoc}" unless customized_class
+      raise QueryError, "Unknown #{queried_class.name} association #{assoc}" unless customized_class
    end
    where = sql_for_field(field, operator, value, db_table, db_field, true)
    if /[<>]/.match?(operator)
@@ -1420,7 +1423,7 @@ class Query < ActiveRecord::Base
    when "$"
      sql = sql_contains("#{db_table}.#{db_field}", value.first, :ends_with => true)
    else
-      raise "Unknown query operator #{operator}"
+      raise QueryError, "Unknown query operator #{operator}"
    end

    return sql
--- a/test/integration/issues_test.rb
+++ b/test/integration/issues_test.rb
@@ -322,4 +322,15 @@ class IssuesTest < Redmine::IntegrationTest
      assert_response 404
    end
  end
+
+  def test_invalid_operators_should_render_404
+    get '/projects/ecookbook/issues', :params => {
+      'set_filter' => '1',
+      'f' => ['status_id', 'cf_9'],
+      'op' => {'status_id' => 'o', 'cf_9' => '=6546546546'},
+      'v' => {'cf_9' => ['2021-05-25']}
+    }
+
+    assert_response 404
+  end
 end