From 91a52ead583baf6d97e2c90288b5e0d70f4ef441 Mon Sep 17 00:00:00 2001
From: JASON KNOEPFLER <JASONK357@GMAIL.com>
Date: Sat, 14 Sep 2019 09:13:44 -0700
Subject: [PATCH] Guard against malformed request referer

---
 app/services/embedded_page_service.rb       |  4 +++-
 spec/services/embedded_page_service_spec.rb | 11 +++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/app/services/embedded_page_service.rb b/app/services/embedded_page_service.rb
index 8d6e27df26..55c0bf79ab 100644
--- a/app/services/embedded_page_service.rb
+++ b/app/services/embedded_page_service.rb
@@ -73,7 +73,9 @@ class EmbeddedPageService
 
   def current_referer
     return if @request.referer.blank?
-    URI(@request.referer).host.downcase
+    uri = URI(@request.referer)
+    return if uri.host.blank?
+    uri.host.downcase
   end
 
   def current_referer_without_www
diff --git a/spec/services/embedded_page_service_spec.rb b/spec/services/embedded_page_service_spec.rb
index eb44b014ab..ecaf79f05c 100644
--- a/spec/services/embedded_page_service_spec.rb
+++ b/spec/services/embedded_page_service_spec.rb
@@ -59,5 +59,16 @@ describe EmbeddedPageService do
         expect(response.headers['X-Frame-Options']).to eq 'DENY'
       end
     end
+
+    context "when the request's referer is malformed" do
+      let(:request) { ActionController::TestRequest.new('HTTP_HOST' => 'ofn-instance.com', 'HTTP_REFERER' => 'hello')}
+      before do
+        service.embed!
+      end
+
+      it "returns a 200 status" do
+        expect(response.status).to eq 200
+      end
+    end
   end
 end