From 21fd44f505f7b654f3a0dbe1cd2ef28350c83032 Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Mon, 8 Jul 2024 16:48:01 -0300 Subject: [PATCH] Bug 37018: Handle exception in unhandled_exception() helper Signed-off-by: Tomas Cohen Arazi Signed-off-by: Martin Renvoize Signed-off-by: Jonathan Druart Signed-off-by: Lucas Gass --- Koha/REST/Plugin/Exceptions.pm | 10 ++++++++++ t/db_dependent/api/v1/query.t | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/Koha/REST/Plugin/Exceptions.pm b/Koha/REST/Plugin/Exceptions.pm index 3bf60c1231..22f0b31443 100644 --- a/Koha/REST/Plugin/Exceptions.pm +++ b/Koha/REST/Plugin/Exceptions.pm @@ -59,6 +59,16 @@ sub register { my $path = $req->url->to_abs->path; my $type = ""; + if ( blessed $exception && ref($exception) eq 'Koha::Exceptions::REST::Query::InvalidOperator' ) { + return $c->render( + status => 500, + json => { + error => printf( "Invalid operator in query: %s", $exception->operator ), + error_code => 'invalid_query', + } + ); + } + if ( blessed $exception ) { $type = "(" . ref($exception) . ")"; } diff --git a/t/db_dependent/api/v1/query.t b/t/db_dependent/api/v1/query.t index f807f21ea2..353760ca99 100755 --- a/t/db_dependent/api/v1/query.t +++ b/t/db_dependent/api/v1/query.t @@ -171,7 +171,7 @@ subtest 'SQL injection in "query" handling' => sub { "[{\"-and\":[[{\"me.patron_id\":{\"like(IF(ASCII(SUBSTRING((SELECT version()),1,1))=ASCII('1'),SLEEP(1/100000),0))or\":\"\%a\%\"}}]]}]"; $t->get_ok("//$userid:$password@/api/v1/patrons?q=$q") - ->status_is( 400, 'Attempt to inject SQL through operators is rejected' ); + ->status_is( 500, 'Attempt to inject SQL through operators is rejected' ); $schema->storage->txn_rollback; }; -- 2.39.5