Merge pull request #309 from yifeiwu/master

Fail fast for long g-responses
ambethia · Apr 1, 2019 · 92bec04 · 92bec04
2 parents a6ece93 + c83c878
commit 92bec04
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/lib/recaptcha/verify.rb b/lib/recaptcha/verify.rb
@@ -4,6 +4,7 @@
 
 module Recaptcha
   module Verify
+    G_RESPONSE_LIMIT = 4000
     # Your private API can be specified in the +options+ hash or preferably
     # using the Configuration.
     def verify_recaptcha(options = {})
@@ -15,7 +16,7 @@ def verify_recaptcha(options = {})
       recaptcha_response = options[:response] || params['g-recaptcha-response'].to_s
 
       begin
-        verified = if recaptcha_response.empty?
+        verified = if recaptcha_response.empty? || recaptcha_response.length > G_RESPONSE_LIMIT
           false
         else
           recaptcha_verify_via_api_call(request, recaptcha_response, options)

diff --git a/test/verify_test.rb b/test/verify_test.rb
@@ -172,6 +172,16 @@
       assert_equal "reCAPTCHA verification failed, please try again.", @controller.flash[:recaptcha_error]
     end
 
+    it "does not verify via http call when response length exceeds G_RESPONSE_LIMIT" do
+      # this returns a 400 or 413 instead of a 200 response with error code
+      # typical response length is less than 400 characters
+      str = "a" * 4001
+      @controller.params = { 'g-recaptcha-response' => "#{str}"}
+      assert_not_requested :get, %r{\.google\.com}
+      assert_equal false, @controller.verify_recaptcha
+      assert_equal "reCAPTCHA verification failed, please try again.", @controller.flash[:recaptcha_error]
+    end
+
     describe ':hostname' do
       let(:hostname) { 'fake.hostname.com' }