strict_request_uri

Reject requests with an invalid REQUEST_URI at the gate. Some HTTP clients will happily append raw junk bytes to your URL before doing a request. Others will first append junk, and then URL-encode it.

What you want for a valid URL is something that is

This gem provides a Rack middleware that is going to try to decode REQUEST_URI, and if it cannot be decoded, an error page will be rendered instead.

use StrictRequestUri do |env|
  # You can use the preserved invalid path+qs to do additional checks/logging
  logger.warn "Invalid URL received"
  logger.warn env['strict_uri.original_invalid_url']

  # You can also render a suggestion or redirect based on the suggested fixed URL.
  # The fixed URL will have all junk at the end removed until the string becomes a valid URL.
  logger.warn "Suggested instead:"
  logger.warn env['strict_uri.proposed_fixed_url']

  [400, {'Content-Type' => 'text/plain'}, ['This is a no go mate']]
end

Note that PATH_INFO and QUERY_STRING variables in Rack env are going to be replaced with something harmless (because they get used to render self-URLs and so on).

You can also use it in your Rails middleware stack, and render a controller in return

Rails.application.config.middleware.insert_after 'Warden::Manager', StrictRequestUri do | env |
  ErrorPagesController.action(:invalid_url).call(env)
end

Contributing to strict_request_uri

Copyright © 2016 WeTransfer. See LICENSE.txt for further details.