Validators bad encoding (#2524)

* Use scrub when possible
Add specs for bad encoding.

* Fix rubocop
Add CHANGELOG.md entry

CHANGELOG.md

@@ -21,6 +21,7 @@
 * [#2510](https://github.com/ruby-grape/grape/pull/2510): Fix ContractScope's validator inheritance - [@ericproulx](https://github.com/ericproulx).
 * [#2521](https://github.com/ruby-grape/grape/pull/2521): Fixed typo in README - [@datpmt](https://github.com/datpmt).
 * [#2525](https://github.com/ruby-grape/grape/pull/2525): Require logger before active_support - [@ericproulx](https://github.com/ericproulx).
+* [#2524](https://github.com/ruby-grape/grape/pull/2524): Fix validators bad encoding - [@ericproulx](https://github.com/ericproulx).
 * Your contribution here.
 
 ### 2.2.0 (2024-09-14)

lib/grape/middleware/versioner/accept_version_header.rb

@@ -18,7 +18,9 @@ module Versioner
       # route.
       class AcceptVersionHeader < Base
         def before
-          potential_version = env[Grape::Http::Headers::HTTP_ACCEPT_VERSION]&.strip
+          potential_version = env[Grape::Http::Headers::HTTP_ACCEPT_VERSION]
+          potential_version = potential_version.scrub unless potential_version.nil?
+
           not_acceptable!('Accept-Version header must be set.') if strict? && potential_version.blank?
 
           return if potential_version.blank?

lib/grape/validations/validators/allow_blank_validator.rb

@@ -8,7 +8,7 @@ def validate_param!(attr_name, params)
           return if (options_key?(:value) ? @option[:value] : @option) || !params.is_a?(Hash)
 
           value = params[attr_name]
-          value = value.strip if value.respond_to?(:strip)
+          value = value.scrub if value.respond_to?(:scrub)
 
           return if value == false || value.present?
 

lib/grape/validations/validators/regexp_validator.rb

@@ -6,7 +6,7 @@ module Validators
       class RegexpValidator < Base
         def validate_param!(attr_name, params)
           return unless params.respond_to?(:key?) && params.key?(attr_name)
-          return if Array.wrap(params[attr_name]).all? { |param| param.nil? || param.to_s.match?((options_key?(:value) ? @option[:value] : @option)) }
+          return if Array.wrap(params[attr_name]).all? { |param| param.nil? || param.to_s.scrub.match?((options_key?(:value) ? @option[:value] : @option)) }
 
           raise Grape::Exceptions::Validation.new(params: [@scope.full_name(attr_name)], message: message(:regexp))
         end

lib/grape/validations/validators/values_validator.rb

@@ -16,6 +16,8 @@ def validate_param!(attr_name, params)
 
           return if val.nil? && !required_for_root_scope?
 
+          val = val.scrub if val.respond_to?(:scrub)
+
           # don't forget that +false.blank?+ is true
           return if val != false && val.blank? && @allow_blank
 

spec/grape/middleware/versioner/accept_version_header_spec.rb

@@ -13,6 +13,18 @@
     }
   end
 
+  describe '#bad encoding' do
+    before do
+      @options[:versions] = %w[v1]
+    end
+
+    it 'does not raise an error' do
+      expect do
+        subject.call(Grape::Http::Headers::HTTP_ACCEPT_VERSION => "\x80")
+      end.to throw_symbol(:error, status: 406, headers: { Grape::Http::Headers::X_CASCADE => 'pass' }, message: 'The requested version is not supported.')
+    end
+  end
+
   context 'api.version' do
     before do
       @options[:versions] = ['v1']

spec/grape/validations/validators/allow_blank_validator_spec.rb

@@ -244,6 +244,25 @@
     end
   end
 
+  describe 'bad encoding' do
+    let(:app) do
+      Class.new(Grape::API) do
+        default_format :json
+
+        params do
+          requires :name, type: String, allow_blank: false
+        end
+        get '/bad_encoding'
+      end
+    end
+
+    context 'when value has bad encoding' do
+      it 'does not raise an error' do
+        expect { get('/bad_encoding', { name: "Hello \x80" }) }.not_to raise_error
+      end
+    end
+  end
+
   context 'invalid input' do
     it 'refuses empty string' do
       get '/disallow_blank', name: ''

spec/grape/validations/validators/regexp_validator_spec.rb

@@ -41,6 +41,25 @@
     end
   end
 
+  describe '#bad encoding' do
+    let(:app) do
+      Class.new(Grape::API) do
+        default_format :json
+
+        params do
+          requires :name, regexp: { value: /^[a-z]+$/ }
+        end
+        get '/bad_encoding'
+      end
+    end
+
+    context 'when value as bad encoding' do
+      it 'does not raise an error' do
+        expect { get '/bad_encoding', name: "Hello \x80" }.not_to raise_error
+      end
+    end
+  end
+
   context 'custom validation message' do
     context 'with invalid input' do
       it 'refuses inapppopriate' do

spec/grape/validations/validators/values_validator_spec.rb

@@ -277,6 +277,25 @@ def default_excepts
     stub_const('ValuesModel', values_model)
   end
 
+  describe '#bad encoding' do
+    let(:app) do
+      Class.new(Grape::API) do
+        default_format :json
+
+        params do
+          requires :type, type: String, values: %w[a b]
+        end
+        get '/bad_encoding'
+      end
+    end
+
+    context 'when value as bad encoding' do
+      it 'does not raise an error' do
+        expect { get '/bad_encoding', type: "Hello \x80" }.not_to raise_error
+      end
+    end
+  end
+
   context 'with a custom validation message' do
     it 'allows a valid value for a parameter' do
       get('/custom_message', type: 'valid-type1')