Merge pull request #462 from Akashkarmakar787/master

Minimum length validation for the recaptcha token param

Author: grosser

README.md

@@ -589,6 +589,7 @@ Recaptcha.configure do |config|
   config.verify_url = 'https://hcaptcha.com/siteverify'
   config.api_server_url = 'https://hcaptcha.com/1/api.js'
   config.response_limit = 100000
+  config.response_minimum = 100
 end
 ```
 

lib/recaptcha.rb

@@ -55,7 +55,7 @@ def self.skip_env?(env)
   end
 
   def self.invalid_response?(resp)
-    resp.empty? || resp.length > configuration.response_limit
+    resp.empty? || resp.length > configuration.response_limit || resp.length < configuration.response_minimum
   end
 
   def self.verify_via_api_call(response, options)

lib/recaptcha/configuration.rb

@@ -38,7 +38,7 @@ class Configuration
     }.freeze
 
     attr_accessor :default_env, :skip_verify_env, :proxy, :secret_key, :site_key, :handle_timeouts_gracefully,
-                  :hostname, :enterprise, :enterprise_api_key, :enterprise_project_id, :response_limit
+                  :hostname, :enterprise, :enterprise_api_key, :enterprise_project_id, :response_limit, :response_minimum
     attr_writer :api_server_url, :verify_url
 
     def initialize # :nodoc:
@@ -57,6 +57,7 @@ def initialize # :nodoc:
       @api_server_url = nil
 
       @response_limit = 4000
+      @response_minimum = 100
     end
 
     def secret_key!

test/verify_enterprise_test.rb

@@ -180,7 +180,7 @@ def initialize
       assert_equal "reCAPTCHA verification failed, please try again.", @controller.flash[:recaptcha_error]
     end
 
-    it "does not verify via http call when response length exceeds G_RESPONSE_LIMIT" do
+    it "does not verify via http call when response length exceeds limit" do
       # this returns a 400 or 413 instead of a 200 response with error code
       # typical response length is less than 400 characters
       str = "a" * 4001
@@ -190,6 +190,16 @@ def initialize
       assert_equal "reCAPTCHA verification failed, please try again.", @controller.flash[:recaptcha_error]
     end
 
+    it "does not verify via http call when response length below limit" do
+      # this returns a 400 or 413 instead of a 200 response with error code
+      # typical response length is less than 100 characters
+      str = "a" * 99
+      @controller.params = { 'g-recaptcha-response' => "#{str}"}
+      assert_not_requested :get, %r{\.google\.com}
+      assert_equal false, @controller.verify_recaptcha
+      assert_equal "reCAPTCHA verification failed, please try again.", @controller.flash[:recaptcha_error]
+    end
+
     describe ':hostname' do
       let(:hostname) { 'fake.hostname.com' }
 

test/verify_test.rb

@@ -199,7 +199,7 @@ def initialize
       assert_equal "reCAPTCHA verification failed, please try again.", @controller.flash[:recaptcha_error]
     end
 
-    it "does not verify via http call when response length exceeds G_RESPONSE_LIMIT" do
+    it "does not verify via http call when response length exceeds limit" do
       # this returns a 400 or 413 instead of a 200 response with error code
       # typical response length is less than 400 characters
       str = "a" * 4001
@@ -209,6 +209,16 @@ def initialize
       assert_equal "reCAPTCHA verification failed, please try again.", @controller.flash[:recaptcha_error]
     end
 
+    it "does not verify via http call when response length below limit" do
+      # this returns a 400 or 413 instead of a 200 response with error code
+      # typical response length is less than 100 characters
+      str = "a" * 99
+      @controller.params = { 'g-recaptcha-response' => "#{str}"}
+      assert_not_requested :get, %r{\.google\.com}
+      assert_equal false, @controller.verify_recaptcha
+      assert_equal "reCAPTCHA verification failed, please try again.", @controller.flash[:recaptcha_error]
+    end
+
     describe ':hostname' do
       let(:hostname) { 'fake.hostname.com' }