Do not set up PUI routes for handling slug-based URLs if use_human_readable_urls is false #3043
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…adable_urls is false
…ble_urls is false
|
@andrew-morrison looks like there are some rubocop violations that need attention before we can merge this. |
|
The rubocop violations have been fixed. |
cdibella
added
the
community
brianzelip
reviewed
Oct 27, 2023
|
Hi @andrew-morrison. We've got a suspicion the Classification Terms routes don't work as expected. We need to set something up to test but haven't gotten to it yet. It's on our radar and we'll follow up in the near future. |
donaldjosephsmith
approved these changes
Nov 17, 2023
thimios
pushed a commit
that referenced
this pull request
Apr 4, 2024
…adable_urls is false (#3043) Prevent database lookups for slug URLs that remain if use_human_readable_urls is false
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Similar to #2436, this pull request prevents the PUI from attempting to handle requests for slug-based URLs when
AppConfig[:use_human_readable_urls]is false (which is the default value.) At present, whenever it receives a request that matches any of the slug-based URLs defined in routes.rb, it sends a request to the backend, which does a lookup in the slug column of the relevant database table. The PUI won't generate any slug-based links, but this route in particular......means any URL like https://test.archivesspace.org/foo/bar will trigger a lookup. Such a URL might be something a plug-in developer wants to write a controller to handle, but cannot because the above route will take precedence. Also, similar URLs may be probed by bad actors looking for known vulnerabilities in other platforms, such as https://test.archivesspace.org/admin/login.php. They won't find a vulnerability, but it does trigger an unnecessary database lookup every time.
Related JIRA Ticket or GitHub Issue
None
How Has This Been Tested?
It does not affect existing routes using
:ridand:idparameters, and obviously won't make any difference to organizations that do have human-readable URLs enabled. There are a few routes that do double duty for both slug-based and ID-based URLs, such as......so I have added another test for
AppConfig[:use_human_readable_urls]in application_controller.rb to prevent those triggering unnecessary database lookups either.Screenshots (if appropriate):
Types of changes
Checklist: