Catch UnicodeDecodeError in extract_ajax_token (#63)

Ensure that any unicode decoding errors are caught while we load the json request body. If that's the case, return None from extract_ajax_token. This fixes the scenario where invalid utf-8 characters pass through json.loads() and cause the program to crash.
yunojuno · Oct 23, 2024 · 9b964ff · 9b964ff
1 parent 3489284
commit 9b964ff
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 1 deletion.
diff --git a/request_token/exceptions.py b/request_token/exceptions.py
@@ -4,6 +4,7 @@
 These exceptions all inherit from the PyJWT base InvalidTokenError.
 
 """
+
 from __future__ import annotations
 
 from jwt.exceptions import InvalidTokenError

diff --git a/request_token/management/commands/truncate_request_token_log.py b/request_token/management/commands/truncate_request_token_log.py
@@ -7,6 +7,7 @@
 period of time.
 
 """
+
 from argparse import ArgumentParser
 from datetime import datetime, timedelta
 from typing import Any

diff --git a/request_token/middleware.py b/request_token/middleware.py
@@ -34,6 +34,9 @@ def extract_ajax_token(self, request: HttpRequest) -> str | None:
             payload = json.loads(request.body)
         except json.decoder.JSONDecodeError:
             return None
+        except UnicodeDecodeError:
+            return None
+
         try:
             return payload.get(JWT_QUERYSTRING_ARG)
         except AttributeError:

diff --git a/request_token/utils.py b/request_token/utils.py
@@ -1,4 +1,5 @@
 """Basic encode/decode utils, taken from PyJWT."""
+
 from __future__ import annotations
 
 import calendar

diff --git a/tests/test_middleware.py b/tests/test_middleware.py
@@ -147,3 +147,14 @@ def test_extract_json_token(self):
         request = self.post_request_with_JSON(self.default_payload)
         middleware = RequestTokenMiddleware(lambda r: HttpResponse())
         self.assertEqual(middleware.extract_ajax_token(request), self.token.jwt())
+
+    def test_extract_ajax_token_catches_unicode_error(self):
+        request = self.factory.post(
+            "/", data=b"\xa0", content_type="application/json"  # Invalid UTF-8 data
+        )
+        request.user = self.user
+        request.session = MockSession()
+
+        middleware = RequestTokenMiddleware(get_response=lambda r: HttpResponse())
+        result = middleware.extract_ajax_token(request)
+        self.assertIsNone(result)
diff --git a/tox.ini b/tox.ini
@@ -48,7 +48,7 @@ deps =
     ruff
 
 commands =
-    ruff request_token
+    ruff check request_token
 
 [testenv:mypy]
 description = Python source code type hints (mypy)
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,6 +4,7 @@ @@
     These exceptions all inherit from the PyJWT base InvalidTokenError.
     """
     from __future__ import annotations
     from jwt.exceptions import InvalidTokenError
@@ Expand Down @@