Spam-Bots sends invalid "Form-Post" - no Error thrown #523
Description
Current Behavior
In some cases, spam bots generate incorrect requests to the form, which cause errors and are not intercepted.
However, a status 200 is sent as the status of the request.
We are currently experiencing numerous spam requests with malformed formRuntimeData values. These requests trigger a JsonException during JSON decoding, which is not being caught. This ultimately results in a Twig rendering exception being shown to the user.
This generates a JsonException in the class "DynamicFormType.php line 67 which is not intercepted.
Example of the POST body:
formbuilder_10[formId]=10&formbuilder_10[inputUserName]=Leemet&formbuilder_10[formCl]=%5B%5D&formbuilder_10[formRuntimeData]=%7B%26quot%3Bform_preset%26quot%3B%3A%26quot%3Bcustom%26quot%3B%2C%26quot%3Bform_template%26quot%3B%3A%26quot%3Bbootstrap_4_layout%26quot%3B%2C%26quot%3Bform_output_workflow%26quot%3B%3A1%2C%26quot%3Bcustom_options%26quot%3B%3A%5B%5D%2C%26quot%3Bform_template_full_path%26quot%3B%3A%26quot%3B%40FormBuilder%5C%2Fform%5C%2Ftheme%5C%2Fbootstrap_4_layout.html.twig%26quot%3B%7D&formbuilder_1[formRuntimeDataToken]=5.YKbuniaye6TKrW871kVFZqK-aQzOL1_tT-HJ-trrXFU.GpCv7l-BKs24nxtf4XUDS5b9ClWFcBWgHaawsbPSPy8RlqGzdu0D6Y7AWw&formbuilder_1[fieldset][0][first_name]=Leemet&formbuilder_1[fieldset][0][last_name]=Leemet&formbuilder_1[fieldset][0][street]=Siegesallee&formbuilder_1[fieldset][0][zipcode]=114215&formbuilder_1[fieldset][0][city]=Leo&formbuilder_1[fieldset][0][phone]=89113148742&formbuilder_1[fieldset][0][email]=zekisuquc419%40gmail.com&formbuilder_1[fieldset][0][message]=Hola%2C+volia+saber+el+seu+preu.&formbuilder_1[send]=&formbuilder_1[_token]=014.ou7j4Vj6iDNpd3Ww02hpog2kDyUqtBedOGRy7-9oxjQ.l6WFqgGiuwIPFkXAsQpfj3ycXldOwn3Yagg7iLcBsWLEg9W1H8K4Byo9Eg
Expected Behavior
The JsonException should be properly caught and handled, preferably by converting it into an appropriate form error message instead of allowing it to propagate and cause a Twig exception.
Possible solution
DynamicFormType.php line 67
$builder->get('formRuntimeData')->addModelTransformer(new CallbackTransformer(
function ($runtimeData) {
return is_array($runtimeData) ? json_encode($runtimeData, JSON_THROW_ON_ERROR) : null;
},
function ($runtimeData) {
try{
return empty($runtimeData) ? null : json_decode($runtimeData, true, 512, JSON_THROW_ON_ERROR);
}catch (\jsonException $e){
throw new TransformationFailedException('', 0, $e);
}
}
));
With this solution, an error is thrown internally and the normal anti-spam mechanisms take effect as expected