bugfix: format: html for home roots

That's the only thing the controller handles meaningful.
Before the route would also catch anything that started with a . interpreting
it as a format string. This lead to lots of false positives in our security
scanner.

2 files changed, 22 insertions, 2 deletions

diff --git a/config/routes.rb b/config/routes.rb
index d388ab7..de328db 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -3,8 +3,11 @@ LeapWeb::Application.routes.draw do
   # Please do not use root_path or root_url. Use home_path and home_url instead,
   # so that the path will be correctly prefixed with the locale.
   #
-  root :to => "home#index"
-  get '(:locale)' => 'home#index', :locale => CommonLanguages.match_available, :as => 'home'
+
+  scope format: 'html' do
+    root :to => "home#index"
+    get '(:locale)' => 'home#index', :locale => CommonLanguages.match_available, :as => 'home'
+  end
 
   #
   # HTTP Error Handling
diff --git a/test/integration/routes/no_route_test.rb b/test/integration/routes/no_route_test.rb
new file mode 100644
index 0000000..a570f85
--- /dev/null
+++ b/test/integration/routes/no_route_test.rb
@@ -0,0 +1,17 @@
+require 'test_helper'
+
+class NoRouteTest < ActionDispatch::IntegrationTest
+
+  def test_path_with_dot
+    assert_no_route '.viminfo'
+  end
+
+  def assert_no_route(path, options = {})
+    options[:method] ||= :get
+    path = "/#{path}" unless path.first == "/"
+    params = @routes.recognize_path(path, method: :get)
+    flunk "Expected no route to '#{path}' but found: #{params.inspect}"
+  rescue ActionController::RoutingError
+    pass
+  end
+end