collimarco
November 24, 2023, 1:52pm
1
It’s an user-input… what am I supposed to do?
The code is pretty simple:
@post = @project.posts.build post_params
@post.save
If some users pass a null byte through the REST API (post_params), Rails produces a 500 Internal Server Error on save. This is what I see from logs:
ArgumentError (string contains null byte)
Why Rails doesn’t try to do something better? Like removing null bytes automatically or returning a 4xx error?
What is the correct solution to this 500 error?
1 Like
collimarco
November 25, 2023, 6:57am
2
In the JSON standard (as defined by RFC 8259), null bytes (i.e., the byte with value 0x00) are not allowed within the JSON text.
This means that this is a Rails bug .
When a JSON request is decoded into params, the strings should not contain null bytes. If a string contain null bytes, that is an invalid JSON and an appropriate 4xx error should be returned to the client.
1 Like
collimarco
November 25, 2023, 7:05am
3
I have opened an issue on GitHub:
opened 07:04AM - 25 Nov 23 UTC
### Steps to reproduce
```
@post = @project.posts.build post_params
@post.s… ave
```
If some users pass a null byte through the REST API (post_params), Rails produces a 500 Internal Server Error on save. This is what I see from logs:
```
ArgumentError (string contains null byte)
```
### More details
In the JSON standard (as defined by RFC 8259), null bytes (i.e., the byte with value 0x00) are not allowed within the JSON text.
When a JSON request is decoded into params, the strings should not contain null bytes. If a string contains null bytes, that is an invalid JSON and an appropriate 4xx error should be returned to the client.
### Expected behavior
Rails returns a 4xx error when a JSON request is decoded if it contains null bytes.
### Actual behavior
Rails ignores the null bytes in the JSON string (and then raises a weird exception during `.save`).
### System configuration
**Rails version**: 7.1.2
**Ruby version**: 3.2.2