From 7df57174cadb2b164df534ae8ef7851ecf817adc Mon Sep 17 00:00:00 2001
From: Shane Kilkelly <shane@kilkelly.me>
Date: Thu, 24 Jun 2021 09:28:23 +0100
Subject: [PATCH] Merge pull request #4239 from overleaf/ae-html-error-message

Avoid using HTML responses as error messages

GitOrigin-RevId: 4cb8df259f51ff351c6f22fa82c016068ff87880
---
 .../frontend/js/infrastructure/fetch-json.js  | 31 +++++---
 .../infrastructure/fetch-json.test.js         | 74 +++++++++++++++++++
 2 files changed, 95 insertions(+), 10 deletions(-)

diff --git a/services/web/frontend/js/infrastructure/fetch-json.js b/services/web/frontend/js/infrastructure/fetch-json.js
index 19e272b7a5..681d8f6d91 100644
--- a/services/web/frontend/js/infrastructure/fetch-json.js
+++ b/services/web/frontend/js/infrastructure/fetch-json.js
@@ -151,18 +151,29 @@ function fetchJSON(
  * @param {Response} response
  * @returns {Promise<Object>}
  */
-function parseResponseBody(response) {
+async function parseResponseBody(response) {
   const contentType = response.headers.get('Content-Type')
+
   if (/application\/json/.test(contentType)) {
     return response.json()
-  } else if (
-    /text\/plain/.test(contentType) ||
-    /text\/html/.test(contentType)
-  ) {
-    return response.text().then(message => ({ message }))
-  } else {
-    // response body ignored as content-type is either not set (e.g. 204
-    // responses) or unsupported
-    return Promise.resolve({})
   }
+
+  if (/text\/plain/.test(contentType)) {
+    const message = await response.text()
+
+    return { message }
+  }
+
+  if (/text\/html/.test(contentType)) {
+    const message = await response.text()
+
+    // only use HTML responses which don't start with `<`
+    if (!/^\s*</.test(message)) {
+      return { message }
+    }
+  }
+
+  // response body ignored as content-type is either not set (e.g. 204
+  // responses) or unsupported
+  return {}
 }
diff --git a/services/web/test/frontend/infrastructure/fetch-json.test.js b/services/web/test/frontend/infrastructure/fetch-json.test.js
index ae71151306..fc25001f3a 100644
--- a/services/web/test/frontend/infrastructure/fetch-json.test.js
+++ b/services/web/test/frontend/infrastructure/fetch-json.test.js
@@ -62,6 +62,80 @@ describe('fetchJSON', function () {
       })
   })
 
+  it('handles JSON error responses', async function () {
+    fetchMock.get('/test', {
+      status: 500,
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: { message: 'lorem ipsum' },
+    })
+
+    return expect(getJSON('/test'))
+      .to.eventually.be.rejectedWith('Internal Server Error')
+      .and.be.an.instanceOf(FetchError)
+      .to.nested.include({
+        'data.message': 'lorem ipsum',
+      })
+  })
+
+  it('handles text error responses', async function () {
+    fetchMock.get('/test', {
+      status: 500,
+      headers: {
+        'Content-Type': 'text/plain',
+      },
+      body: 'lorem ipsum',
+    })
+
+    return expect(getJSON('/test'))
+      .to.eventually.be.rejectedWith('Internal Server Error')
+      .and.be.an.instanceOf(FetchError)
+      .to.nested.include({
+        'data.message': 'lorem ipsum',
+      })
+  })
+
+  it('handles text error responses sent as HTML', async function () {
+    fetchMock.get('/test', {
+      status: 500,
+      headers: {
+        'Content-Type': 'text/html',
+      },
+      body: 'lorem ipsum',
+    })
+
+    return expect(getJSON('/test'))
+      .to.eventually.be.rejectedWith('Internal Server Error')
+      .and.be.an.instanceOf(FetchError)
+      .to.nested.include({
+        'data.message': 'lorem ipsum',
+      })
+  })
+
+  it('handles (ignores) HTML error responses sent as HTML', async function () {
+    fetchMock.get('/test', {
+      status: 500,
+      headers: {
+        'Content-Type': 'text/html',
+      },
+      body:
+        '<!doctype html><html lang="en"><body><p>lorem ipsum</p></body></html>',
+    })
+
+    const promise = getJSON('/test')
+
+    expect(promise)
+      .to.eventually.be.rejectedWith('Internal Server Error')
+      .and.be.an.instanceOf(FetchError)
+
+    try {
+      await promise
+    } catch (error) {
+      expect(error.data).to.eql({})
+    }
+  })
+
   it('handles POST requests', function () {
     const body = { example: true }