Bug (potential security issue): XLSX content is included in body when `render nothing: true` is called

Hi folks,

I'm generating an XLSX file in a controller which checks authorization and raises an error if the user isn't authorized to view the file.

The issue If you raise an error in the controller method and rescue it in ApplicationController, the content of the excel file is still Base64-encoded in the body when you render nothing: true. This could be a security risk - it would have been in my case.

Roughly, my setup is as follows (this is a small replication of the problem, not my actual code). My route has XLSX as the default format, and the view renders the XLSX as described in the README.

Example replication

# route to /items/:id
resources :items, only: [:show], defaults: {format: :xlsx}

# controller in which the error is raised
class ItemsController < ApplicationController
   def show
      @model_data = SomeModel.find(params[:id])
      raise SomeError, "you are not allowed to view this file"
   end
end

# rescuing the error in ApplicationController

class ApplicationController

#....

   rescue_from SomeError do |error|
     # THIS IS THE DANGEROUS BIT - render nothing: true here will return 
     # the XLSX binary, base64-encoded, inside the body of the response, 
     # with an HTTP 403 response code.
      render nothing: true, layout: 'error', status: 403
   end

#....

end

Workaround My solution is to instead call head status: :forbidden in the rescue block, which does what you would expect and includes no body.

I can't replicate this bug using other renderers, so I think the problem exists in the XLSX renderer. I did have a look through the source and couldn't immediately see the problem.

Hope this is useful.

caxlsx / caxlsx_rails

Bug (potential security issue): XLSX content is included in body when `render nothing: true` is called #156