Fixing url parse errors

[jameslzhu]

Bug reproduction: navigate to any url of the form:

• http://hkn.eecs.berkeley.edu/exams/course/
• http://hkn.eecs.berkeley.edu/calendar?month=%22%20&%20sleep%204%20&%20%22&year=2018
• http://hkn.eecs.berkeley.edu/tutor/calendar?month=qwioenurqiopwuneropquwejioruj&year=2017asdfasdfsdfasdf
• http://hkn.eecs.berkeley.edu/events/past?event_filter=mandatory%20for%20candidates&page=file://../../WEB-INF/web.xml&sort=start_time&sort_direction=up
• http://hkn.eecs.berkeley.edu/coursesurveys/rating/424076 (undefined method private for NilClass)
• http://hkn.eecs.berkeley.edu/events/past?event_filter=mandatory%20for%20candidates&page=-1839&sort=start_time&sort_direction=down (invalid page -1839)

These are available on Rollbar as error 68, 93, 95, 99, 110.

These all stem from poor url parsing, especially assumed Integer conversion successes (errors are uncaught).

Ex: error 68.

Traceback: models/exam.rb.

Root cause: department (decoded from url) assumed to be found (no nil checks), causing dept.name to throw 'undefined method 'name''.

[jameslzhu]

It appears that, for many invalid routes below the root, the 404 page isn't used; instead handlers frequently assume that the url is valid, and throw some sort of error when this isn't the case.

I don't think it's feasible to handle 404 errors at the top-level router (as response handling is delegated), but perhaps for each subpage's routing it may be.

[jameslzhu]

Update: https://rollbar.com/compserv/hkn-rails/items/93/?person_page=0&#ip-addresses This contained the following error traceback:

ArgumentError: invalid value for Integer(): "/../../../../../../../windows/win.ini............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................\u0000."

File /home/h/hk/hkn/hkn-rails/migrate/releases/20190107053052/app/controllers/events_controller.rb, line 62 in index

The root of this is bad url parsing: assuming a cast to Integer will work, and not handling any errors.