From 00e4b842e9262b78d99c49c6ba6a219ce2bc8e51 Mon Sep 17 00:00:00 2001
From: AMHOL <andyholland1991@aol.com>
Date: Thu, 8 Jul 2021 10:47:31 +0800
Subject: [PATCH 1/2] Handle invalid params in
 ControllerMethods#recaptcha_response_token

Fixes: #387
---
 lib/recaptcha/adapters/controller_methods.rb |  8 ++-
 test/verify_test.rb                          | 68 ++++++++++++++++++++
 2 files changed, 73 insertions(+), 3 deletions(-)

diff --git a/lib/recaptcha/adapters/controller_methods.rb b/lib/recaptcha/adapters/controller_methods.rb
index 31e85b69..8c657e27 100644
--- a/lib/recaptcha/adapters/controller_methods.rb
+++ b/lib/recaptcha/adapters/controller_methods.rb
@@ -83,10 +83,12 @@ def recaptcha_flash_supported?
       # @return [String] A response token if one was passed in the params; otherwise, `''`
       def recaptcha_response_token(action = nil)
         response_param = params['g-recaptcha-response-data'] || params['g-recaptcha-response']
-        if response_param&.respond_to?(:to_h) # Includes ActionController::Parameters
-          response_param[action].to_s
+        response_param = response_param[action] if action && response_param.respond_to?(:key?)
+
+        if String === response_param
+          response_param
         else
-          response_param.to_s
+          ''
         end
       end
     end
diff --git a/test/verify_test.rb b/test/verify_test.rb
index 108dd34b..4397b9f9 100644
--- a/test/verify_test.rb
+++ b/test/verify_test.rb
@@ -335,6 +335,73 @@
     end
   end
 
+  describe "#recaptcha_response_token" do
+    it "returns an empty string when params are empty and no action is provided" do
+      @controller.params = {}
+      assert_equal @controller.recaptcha_response_token, ""
+    end
+
+    it "returns an empty string when g-recaptcha-response-data is invalid and no action is provided" do
+      @controller.params = { "g-recaptcha-response-data" => {} }
+      assert_equal @controller.recaptcha_response_token, ""
+    end
+
+    it "returns an empty string when g-recaptcha-response is invalid and no action is provided" do
+      @controller.params = { "g-recaptcha-response" => {} }
+      assert_equal @controller.recaptcha_response_token, ""
+    end
+
+    it "returns the g-recaptcha-response-data when response is valid and no action is provided" do
+      @controller.params = { "g-recaptcha-response-data" => "recaptcha-response-data" }
+      assert_equal @controller.recaptcha_response_token, "recaptcha-response-data"
+    end
+
+    it "returns the g-recaptcha-response  when response is valid and no action is provided" do
+      @controller.params = { "g-recaptcha-response" => "recaptcha-response" }
+      assert_equal @controller.recaptcha_response_token, "recaptcha-response"
+    end
+
+    it "returns an empty string when params are empty and an action is provided" do
+      @controller.params = {}
+      assert_equal @controller.recaptcha_response_token("test"), ""
+    end
+
+    it "returns an empty string when g-recaptcha-response-data params are invalid and an action is provided" do
+      @controller.params = { "g-recaptcha-response-data" => ["\n"] }
+      assert_equal @controller.recaptcha_response_token("test"), ""
+    end
+
+    it "returns an empty string when g-recaptcha-response-data params are nil and an action is provided" do
+      @controller.params = { "g-recaptcha-response-data" => nil }
+      assert_equal @controller.recaptcha_response_token("test"), ""
+    end
+
+    it "returns an empty string when g-recaptcha-response-data params are empty and an action is provided" do
+      @controller.params = { "g-recaptcha-response-data" => {} }
+      assert_equal @controller.recaptcha_response_token("test"), ""
+    end
+
+    it "returns an empty string when g-recaptcha-response-data params are valid but an invalid action is provided" do
+      @controller.params = { "g-recaptcha-response-data" => { "test2" => "recaptcha-response-data" } }
+      assert_equal @controller.recaptcha_response_token("test"), ""
+    end
+
+    it "returns an empty string when g-recaptcha-response params are valid but an invalid action is provided" do
+      @controller.params = { "g-recaptcha-response" => { "test2" => "recaptcha-response-data" } }
+      assert_equal @controller.recaptcha_response_token("test"), ""
+    end
+
+    it "returns the g-recaptcha-response-data action when params are valid and an action is provided" do
+      @controller.params = { "g-recaptcha-response-data" => { "test" => "recaptcha-response-data" } }
+      assert_equal @controller.recaptcha_response_token("test"), "recaptcha-response-data"
+    end
+
+    it "returns the g-recaptcha-response action when params are valid and an action is provided" do
+      @controller.params = { "g-recaptcha-response" => { "test" => "recaptcha-response" } }
+      assert_equal @controller.recaptcha_response_token("test"), "recaptcha-response"
+    end
+  end
+
   private
 
   class TestController
@@ -349,6 +416,7 @@ def initialize
     public :verify_recaptcha
     public :verify_recaptcha!
     public :recaptcha_reply
+    public :recaptcha_response_token
   end
 
   def expect_http_post(secret_key: Recaptcha.configuration.secret_key)

From 13f56ab91854d4446d0de4f6ff986e766e5d1e51 Mon Sep 17 00:00:00 2001
From: AMHOL <andyholland1991@aol.com>
Date: Thu, 8 Jul 2021 10:49:21 +0800
Subject: [PATCH 2/2] Update changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e314bdf4..7e492304 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,5 @@
 ## Next
+* Gracefully handle invalid params
 
 ## 5.8.0
 * Add support for the enterprise API