Validates response processed by exception handler

darren987469 · darren987469 · commit 9e945a69acd8 · 2018-08-05T16:46:02.000+08:00
If block of  return nil, the response would be nil.
That causes system information leak. Add a validation to prevent it.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -21,6 +21,7 @@
 * [#1758](https://github.com/ruby-grape/grape/pull/1758): Fix expanding load_path in gemspec - [@2maz](https://github.com/2maz).
 * [#1765](https://github.com/ruby-grape/grape/pull/1765): Use 415 when request body is of an unsupported media type - [@jdmurphy](https://github.com/jdmurphy).
 * [#1771](https://github.com/ruby-grape/grape/pull/1771): Fix param aliases with 'given' blocks - [@jereynolds](https://github.com/jereynolds).
+* [#1776](https://github.com/ruby-grape/grape/pull/1776): Validates response processed by exception handler - [@darren987469](https://github.com/darren987469).
 
 ### 1.0.3 (4/23/2018)
 
diff --git a/lib/grape/middleware/error.rb b/lib/grape/middleware/error.rb
@@ -127,7 +127,13 @@ def run_rescue_handler(handler, error)
           handler = public_method(handler)
         end
 
-        handler.arity.zero? ? instance_exec(&handler) : instance_exec(error, &handler)
+        response = handler.arity.zero? ? instance_exec(&handler) : instance_exec(error, &handler)
+        valid_response?(response) ? response : error!('Internal Server Error(Invalid Response)')
+      end
+
+      def valid_response?(response)
+        # Rack::Response.new(...).finish generates an array with size 3
+        response.is_a?(Array) && response.size == 3
       end
     end
   end
diff --git a/spec/grape/api_spec.rb b/spec/grape/api_spec.rb
@@ -1723,6 +1723,26 @@ class CustomError < Grape::Exceptions::Base; end
       expect(last_response.status).to eql 500
       expect(last_response.body).to eq('Formatter Error')
     end
+
+    it 'validates response processed by exception handler' do
+      subject.rescue_from ArgumentError do
+        error!('rain!')
+        nil # invalid response caused by return nil
+      end
+      subject.rescue_from :all do
+        error!('rain!')
+      end
+      subject.get('/invalid_response') { raise ArgumentError }
+      subject.get('/valid_response') { raise 'rain!' }
+
+      get '/invalid_response'
+      expect(last_response.status).to eql 500
+      expect(last_response.body).to eq('Internal Server Error(Invalid Response)')
+
+      get '/valid_response'
+      expect(last_response.status).to eql 500
+      expect(last_response.body).to eq('rain!')
+    end
   end
 
   describe '.rescue_from klass, block' do
