Skip to content

Do not allow POST requests to /sitemaps #3491

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hannako wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Do not allow POST requests to /sitemaps #3491

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions lib/rummager/app.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -317,6 +317,12 @@ def get_type_from_request_body(request_body)
serve_from_s3(sitemap)
end

post "/sitemaps/*" do
Copy link
Copy Markdown
Contributor

@koetsier koetsier Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this will fix it. The error in Sentry is Invalid multipart/form-data: Rack::Multipart::EmptyContentError (Sinatra::BadRequest) I think this is a bot sending a broken http request to the sitemaps endpoint

It's probably better to catch the Sinatra::BadRequest error like:

error Sinatra::BadRequest do
  status 400
  "Bad request"
end

Copy link
Copy Markdown
Contributor Author

@hannako hannako Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we need both? If a bot sends a valid body it would hit the post route right?

Copy link
Copy Markdown
Contributor

@koetsier koetsier Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm actually not sure what would happen. Maybe it would return a 404? We could try it out using curl

headers = { "Allow" => "GET" }
body = { message: "Method Not Allowed: Use GET to access the sitemap." }.to_json
halt(405, headers, body)
end

def serve_from_s3(key)
o = Services.s3_client.get_object(bucket: ENV["AWS_S3_SITEMAPS_BUCKET_NAME"], key:)

Expand Down
9 changes: 9 additions & 0 deletions spec/integration/app/sitemap_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,4 +55,13 @@
end
end
end

describe "post /sitemaps/*" do
it "returns a 405 error message" do
post "/sitemaps/server/anything/stuff.php"
expect(last_response.status).to eq(405)
expect(last_response.headers["Allow"]).to eq("GET")
expect(last_response.body).to eq({ message: "Method Not Allowed: Use GET to access the sitemap." }.to_json)
end
end
end