Project

General

Profile

Actions
Copy link

Bug #1976

closed

xmera Omnia - Collection #1934: Fixing of several bugs

An ActionController::InvalidCrossOriginRequest occurred in projects#autocomplete:

Added by liaham about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
liaham
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Affected Version:
Compatible Redmine Version:
Pull Request Link:

Description

🐛 Thanks for taking the time to fill out this bug report! 😊

What did you expect?

I did expect to get an error message.

What has happened instead?

An execption was raised:

Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.

What could be a possible solution?

Rescue from ActionController::InvalidCrossOriginRequest in ApplicationController.

How can we reproduce the problem?

You can reproduce the error when you type into the browser:

https://<domain>/projects/autocomplete.js

In what environment are you running the plugin?

Please copy and paste your environment information as displayed in Administration » Information or run bin/about in the root dir of your Redmine instance.

What browsers are you seeing the problem on?

  • Firefox
  • Chrome
  • Safari

Relevant log output

# Copy your log output (log/production.log) here

Started GET "/projects/autocomplete.js" for 192.168.2.186 at 2024-01-24 09:55:29 +0100
Processing by ProjectsController#autocomplete as JS
   (1.0ms)  SELECT MAX(`settings`.`updated_on`) FROM `settings`
  ↳ app/models/setting.rb:280:in `check_cache'
Settings cache cleared.
  Setting Load (1.1ms)  SELECT `settings`.* FROM `settings` WHERE `settings`.`name` = 'rest_api_enabled' ORDER BY `settings`.`id` DESC LIMIT 1
  ↳ app/models/setting.rb:363:in `find_or_default'
  AnonymousUser Load (1.2ms)  SELECT `users`.* FROM `users` WHERE `users`.`type` = 'AnonymousUser' AND `users`.`lastname` = 'Anonymous' LIMIT 1
  ↳ app/models/user.rb:867:in `anonymous'
  Current user: anonymous
  Setting Load (1.1ms)  SELECT `settings`.* FROM `settings` WHERE `settings`.`name` = 'login_required' ORDER BY `settings`.`id` DESC LIMIT 1
  ↳ app/models/setting.rb:363:in `find_or_default'
  Setting Load (1.1ms)  SELECT `settings`.* FROM `settings` WHERE `settings`.`name` = 'force_default_language_for_anonymous' ORDER BY `settings`.`id` DESC LIMIT 1
  ↳ app/models/setting.rb:363:in `find_or_default'
  CustomMessageSetting Load (0.8ms)  SELECT `settings`.* FROM `settings` WHERE `settings`.`name` = 'plugin_redmine_message_customize' ORDER BY `settings`.`id` DESC LIMIT 1
  ↳ app/models/setting.rb:363:in `find_or_default'
  Setting Load (0.5ms)  SELECT `settings`.* FROM `settings` WHERE `settings`.`name` = 'force_default_language_for_loggedin' ORDER BY `settings`.`id` DESC LIMIT 1
  ↳ app/models/setting.rb:363:in `find_or_default'
  Setting Load (0.5ms)  SELECT `settings`.* FROM `settings` WHERE `settings`.`name` = 'default_language' ORDER BY `settings`.`id` DESC LIMIT 1
  ↳ app/models/setting.rb:363:in `find_or_default'
  Project Load (0.4ms)  SELECT `projects`.* FROM `projects` INNER JOIN `members` ON `projects`.`id` = `members`.`project_id` INNER JOIN `projects` `projects_members` ON `projects_members`.`id` = `members`.`project_id` WHERE `members`.`user_id` = 4 AND `projects`.`status` != 9
  ↳ app/controllers/projects_controller.rb:92:in `block (2 levels) in autocomplete'
  Rendering projects/autocomplete.js.erb
  Rendered projects/autocomplete.js.erb (Duration: 0.1ms | Allocations: 35)
Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.
Completed 422 Unprocessable Entity in 42ms (Views: 1.1ms | ActiveRecord: 7.8ms | Allocations: 6774)
Actions
Copy link
 #1

Updated by liaham about 1 year ago

  • Project changed from 71 to 46
  • Target version deleted (unreleased)
Actions
Copy link
 #2

Updated by liaham about 1 year ago

  • Project changed from 46 to Redmine
  • Status changed from New to Feedback
  • Assignee set to liaham
  • % Done changed from 0 to 50
Actions
Copy link
 #3

Updated by liaham about 1 year ago

Since Rails handles ActionController::InvalidCrossOriginRequest with HTTP status 422, the status should be changed.

See: https://github.com/rails/rails/blob/v6.1.7.6/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb

Actions
Copy link
 #4

Updated by liaham about 1 year ago

  • Status changed from Feedback to Closed
  • % Done changed from 50 to 100
Actions
Copy link
 #5

Updated by liaham about 1 year ago

Changed the HTTP status to 422 and renamed the method to render_unprocessable.

Actions
Copy link
 #6

Updated by liaham about 1 year ago

I do not expect Redmine to integrate the patch since the exception will only be raised when Redmine runs with the exception notifier. Without notifier Redmine will render a white page and returna HTTP status 422 what is pretty much the same of that what the patch does.

Actions
Copy link
 #7

Updated by liaham about 1 year ago

The exception notifier supports to ignore exceptions. This is the preferred way to solve this issue.

Actions
Copy link

Also available in: Atom PDF