From 76f9212e57b30cca10a3e7fcb0272b5e35ed3c96 Mon Sep 17 00:00:00 2001 From: Eduardo Navarro Date: Tue, 18 Sep 2018 13:54:45 +0200 Subject: [PATCH 1/2] Prevent invalid xml output of null characters Prevent the xml renderer from throwing a 500 internal server error: ActionView::Template::Error (string contains null byte) Co-authored-by: Victor Pereira --- src/api/app/models/comment.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/src/api/app/models/comment.rb b/src/api/app/models/comment.rb index 6110049c528..fdf3c3efd7b 100644 --- a/src/api/app/models/comment.rb +++ b/src/api/app/models/comment.rb @@ -69,6 +69,7 @@ def to_xml(builder, include_commentable = false) attrs['project'] = commentable.project if commentable.is_a?(Package) end attrs[:parent] = parent_id if parent_id + body.delete!("\u0000") builder.comment_(attrs) do builder.text(body) From 8b19a369e4a2845d36b74f17cc6562c006fde9b6 Mon Sep 17 00:00:00 2001 From: Eduardo Navarro Date: Tue, 18 Sep 2018 13:55:31 +0200 Subject: [PATCH 2/2] Validate input of comments, without null character This prevents the creation of a comment with the null character, that would make the comment invalid for xml output. Co-authored-by: Victor Pereira --- src/api/app/models/comment.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/api/app/models/comment.rb b/src/api/app/models/comment.rb index fdf3c3efd7b..3348770088b 100644 --- a/src/api/app/models/comment.rb +++ b/src/api/app/models/comment.rb @@ -7,6 +7,8 @@ class Comment < ApplicationRecord validates :body, :commentable, :user, presence: true # FIXME: this probably should be MEDIUMTEXT(16MB) instead of text (64KB) validates :body, length: { maximum: 65_535 } + validates :body, format: { with: /\A[^\u0000]*\Z/, + message: 'must not contain null characters' } validate :validate_parent_id