search

umbraco / Umbraco.Forms.Issues

Public issue tracker for Umbraco Forms
29 stars 0 forks source link

InvalidOperationException: Could not retrieve non-field form values from the HttpContext #1150

Closed D-Inventor closed 5 months ago

D-Inventor commented 5 months ago

Bug summary

I've been running an Umbraco 10 site for a while now and I'm getting exceptions in my logs from the Recaptcha v2 field. The error indicates that a non-field form value could not be retrieved from the HttpContext

Specifics

I'm using Umbraco forms version 10.5.2 on Umbraco 10.8.2. The error is likely caused by malicious bots that attempt to submit an Umbraco forms form. Though it likely doesn't directly impact users, I find it at the least unnecessary to find this error in my logs. The absence of a field in the form data should be handled just like any other mandatory field that is not filled in. screenshot of the error in my log monitoring software

Umbraco.Forms.Core.Providers.FieldTypes.RecaptchaBase.GetRecaptchaResponse(HttpContext context):157
Umbraco.Forms.Core.Providers.FieldTypes.Recaptcha2.ValidateField(Form form, Field field, IEnumerable`1 postedValues, HttpContext context, IPlaceholderParsingService placeholderParsingService, IFieldTypeStorage fieldTypeStorage):20
Umbraco.Forms.Web.Controllers.UmbracoFormsController.ValidateFormState(FormViewModel model, Form form)
Umbraco.Forms.Web.Controllers.UmbracoFormsController.HandleForm(FormViewModel model):68
(unknown).lambda_method756504(Closure , Object , Object[] ):-1
Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor+SyncActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments):28
// ... rest of stacktrace omitted for brevity

Steps to reproduce

1) Create an Umbraco forms form that at least includes a Recaptcha v2 field. 2) Add the form to a page 3) Visit the page, open the DevTools console, fill in the form and submit successfully 4) Locate the POST request in DevTools, copy the request and import it into a tool like Postman 5) Remove the field 'g-recaptcha-response' from the form-data request body in postman and send 6) Notice HTTP 500 error and the exception in your logs

Expected result

I expect to be redirected back to the form indicating that the recaptcha value was invalid or an HTTP 4xx response. I do not expect an HTTP 500 response nor errors in my logs.

Actual result

HTTP 500 response and errors in my logs. Screenshot of stacktrace was provided earlier

This item has been added to our backlog AB#36930

AndyButland commented 5 months ago

I think the problem here is that are are using the presence of this form value as part of the check to determine whether or not the form post has come from a typical Razor page, or via a submission via the headless API. That's the reason you are getting the exception. The absence of the field has meant the code is following the API route, and then it's not finding some details it expects.

I can see how we can fix this up so will prepare for the next patch releases.