From 74eb83587dd9c2e566e053cc0d33bb7aff517f01 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 17 Mar 2017 16:33:32 +0100 Subject: bugfix: format: html for home roots That's the only thing the controller handles meaningful. Before the route would also catch anything that started with a . interpreting it as a format string. This lead to lots of false positives in our security scanner. --- config/routes.rb | 7 +++++-- test/integration/routes/no_route_test.rb | 17 +++++++++++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 test/integration/routes/no_route_test.rb diff --git a/config/routes.rb b/config/routes.rb index d388ab7..de328db 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -3,8 +3,11 @@ LeapWeb::Application.routes.draw do # Please do not use root_path or root_url. Use home_path and home_url instead, # so that the path will be correctly prefixed with the locale. # - root :to => "home#index" - get '(:locale)' => 'home#index', :locale => CommonLanguages.match_available, :as => 'home' + + scope format: 'html' do + root :to => "home#index" + get '(:locale)' => 'home#index', :locale => CommonLanguages.match_available, :as => 'home' + end # # HTTP Error Handling diff --git a/test/integration/routes/no_route_test.rb b/test/integration/routes/no_route_test.rb new file mode 100644 index 0000000..a570f85 --- /dev/null +++ b/test/integration/routes/no_route_test.rb @@ -0,0 +1,17 @@ +require 'test_helper' + +class NoRouteTest < ActionDispatch::IntegrationTest + + def test_path_with_dot + assert_no_route '.viminfo' + end + + def assert_no_route(path, options = {}) + options[:method] ||= :get + path = "/#{path}" unless path.first == "/" + params = @routes.recognize_path(path, method: :get) + flunk "Expected no route to '#{path}' but found: #{params.inspect}" + rescue ActionController::RoutingError + pass + end +end -- cgit v1.2.3