Handle invalid API JSON input gracefully (!142741) · Merge requests · GitLab.org / GitLab

Heinrich Lee Yu requested to merge 439248-fix-api-json-error into master Jan 24, 2024

What does this MR do and why?

Return a 400 when user provides unparseable JSON input

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

curl http://localhost:3000/api/v4/projects -X POST -H 'Content-Type: application/json' -d '{"test":"random_\$escaped/symbols\;here"}'

Note that the exception only happens with Grape and only with strings like these because:

Grape uses oj to parse the JSON body while ActionDispatch uses the default JSON library
This JSON string can be parsed by JSON but not oj: https://github.com/ohler55/oj/issues/541
Our HandleMalformedStrings middleware catches invalid request bodies that cannot be parsed by ActionDispatch. So this does not get caught and goes on to get parsed by Grape.

Related to #439248 (closed)

Edited Jan 24, 2024 by Heinrich Lee Yu

Handle invalid API JSON input gracefully

What does this MR do and why?

MR acceptance checklist

How to set up and validate locally

Merge request reports