Fix NoMethodError in FilesController when Accept header is missing (#5448)

dantreiman · web-flow · commit 021ac02effca · 2026-05-20T11:34:14.000-04:00
* Fix NoMethodError in FilesController when Accept header is missing

* Use safe navigation on both the split and the include? so a missing
Accept header simply leaves the default request format alone
diff --git a/apps/dashboard/app/controllers/files_controller.rb b/apps/dashboard/app/controllers/files_controller.rb
@@ -8,7 +8,7 @@ class FilesController < ApplicationController
   before_action :strip_sendfile_headers, only: [:fs, :directory_frame]
 
   def fs
-    request.format = 'json' if request.headers['HTTP_ACCEPT'].split(',').include?('application/json')
+    request.format = 'json' if json_request?
     parse_path(fs_params[:filepath], fs_params[:fs])
     validate_path!
 
@@ -211,6 +211,17 @@ def edit
 
   private
 
+  # Whether the incoming request explicitly accepts application/json.
+  #
+  # Coerces the Accept header to a string because some user agents
+  # (notably Chrome on `<a download>` links for files linked from
+  # Interactive App session views) omit the header entirely, which
+  # would otherwise raise NoMethodError on nil.split and leave the
+  # global rescue_action handler to redirect users to $HOME.
+  def json_request?
+    request.headers['HTTP_ACCEPT'].to_s.split(',').include?('application/json')
+  end
+
   def rescue_action(exception)
     @files = []
     flash.now[:alert] = exception.message.to_s
diff --git a/apps/dashboard/test/controllers/files_controller_test.rb b/apps/dashboard/test/controllers/files_controller_test.rb
@@ -166,4 +166,22 @@ def setup
     @controller.instance_variable_set(:@path, path)
     refute @controller.send(:posix_file?)
   end
+
+  # Tests for files_controller#json_request?
+  # Regression test for #5447: a request with no Accept header must not
+  # crash FilesController#fs with NoMethodError on nil.split.
+  test 'json_request? returns false when Accept header is missing' do
+    @request.env.delete('HTTP_ACCEPT')
+    refute @controller.send(:json_request?)
+  end
+
+  test 'json_request? returns truthy when Accept includes application/json' do
+    @request.env['HTTP_ACCEPT'] = 'text/html,application/json'
+    assert @controller.send(:json_request?)
+  end
+
+  test 'json_request? returns falsy when Accept does not include application/json' do
+    @request.env['HTTP_ACCEPT'] = 'text/html'
+    refute @controller.send(:json_request?)
+  end
 end
