fix: handle request URLs that include non-ASCII characters (#1021)

waltjones · web-flow · commit 30964f4e2da1 · 2021-02-10T13:48:49.000-05:00
diff --git a/lib/rollbar/scrubbers/url.rb b/lib/rollbar/scrubbers/url.rb
@@ -13,7 +13,7 @@ def self.call(*args)
       end
 
       def call(options = {})
-        url = options[:url]
+        url = ascii_encode(options[:url])
 
         filter(url,
                build_regex(options[:scrub_fields]),
@@ -29,6 +29,20 @@ def call(options = {})
 
       private
 
+      def ascii_encode(url)
+        # In some cases non-ascii characters won't be properly encoded, so we do it here.
+        #
+        # The standard encoders (the CGI and URI methods) are not reliable when the query string
+        # is already embedded in the full URL, but the inconsistencies are limited to issues
+        # with characters in the ascii range. (For example, the '#' if it appears in an unexpected place.)
+        # For escaping non-ascii, they are all OK, so we'll take care to skip the ascii chars.
+
+        return url if url.ascii_only?
+
+        # Iterate each char and only escape non-ascii characters.
+        url.each_char.map { |c| c.ascii_only? ? c : CGI.escape(c) }.join
+      end
+
       def build_whitelist_regex(whitelist)
         fields = whitelist.find_all { |f| f.is_a?(String) || f.is_a?(Symbol) }
         return unless fields.any?
diff --git a/spec/rollbar/scrubbers/url_spec.rb b/spec/rollbar/scrubbers/url_spec.rb
@@ -112,6 +112,26 @@
         end
       end
 
+      context 'with non-ASCII UTF-8 encoded URL' do
+        let(:url) { 'http://foo.com/some-path?foo=あああ'.force_encoding(Encoding::UTF_8) }
+        before { reconfigure_notifier }
+
+        it 'returns the URI encoded url' do
+          expected_url = 'http://foo.com/some-path?foo=%E3%81%82%E3%81%82%E3%81%82'
+          expect(subject.call(options)).to match(expected_url)
+        end
+      end
+
+      context 'with non-ASCII ASCII-8BIT encoded URL' do
+        let(:url) { 'http://foo.com/some-path?foo=あああ'.force_encoding(Encoding::ASCII_8BIT) }
+        before { reconfigure_notifier }
+
+        it 'returns the URI encoded url' do
+          expected_url = 'http://foo.com/some-path?foo=%E3%81%82%E3%81%82%E3%81%82'
+          expect(subject.call(options)).to match(expected_url)
+        end
+      end
+
       context 'with URL with spaces and arrays' do
         let(:url) do
           'https://server.com/api/v1/assignments/4430038?user_id=1&assignable_id=2&starts_at=Wed%20Jul%2013%202016%2000%3A00%3A00%20GMT-0700%20(PDT)&ends_at=Fri%20Jul%2029%202016%2000%3A00%3A00%20GMT-0700%20(PDT)&allocation_mode=hours_per_day&percent=&fixed_hours=&hours_per_day=0&auth=REMOVED&___uidh=2228207862&password[]=mypassword'
