Catch UnicodeDecodeError in extract_ajax_token

request_token/exceptions.py

@@ -4,6 +4,7 @@
 These exceptions all inherit from the PyJWT base InvalidTokenError.
 
 """
+
 from __future__ import annotations
 
 from jwt.exceptions import InvalidTokenError

request_token/management/commands/truncate_request_token_log.py

@@ -7,6 +7,7 @@
 period of time.
 
 """
+
 from argparse import ArgumentParser
 from datetime import datetime, timedelta
 from typing import Any

request_token/middleware.py

@@ -34,6 +34,9 @@ def extract_ajax_token(self, request: HttpRequest) -> str | None:
             payload = json.loads(request.body)
         except json.decoder.JSONDecodeError:
             return None
+        except UnicodeDecodeError:
+            return None
+
         try:
             return payload.get(JWT_QUERYSTRING_ARG)
         except AttributeError:

request_token/utils.py

@@ -1,4 +1,5 @@
 """Basic encode/decode utils, taken from PyJWT."""
+
 from __future__ import annotations
 
 import calendar

tests/test_middleware.py

@@ -147,3 +147,14 @@ def test_extract_json_token(self):
         request = self.post_request_with_JSON(self.default_payload)
         middleware = RequestTokenMiddleware(lambda r: HttpResponse())
         self.assertEqual(middleware.extract_ajax_token(request), self.token.jwt())
+
+    def test_extract_ajax_token_catches_unicode_error(self):
+        request = self.factory.post(
+            "/", data=b"\xa0", content_type="application/json"  # Invalid UTF-8 data
+        )
+        request.user = self.user
+        request.session = MockSession()
+
+        middleware = RequestTokenMiddleware(get_response=lambda r: HttpResponse())
+        result = middleware.extract_ajax_token(request)
+        self.assertIsNone(result)

tox.ini

@@ -48,7 +48,7 @@ deps =
     ruff
 
 commands =
-    ruff request_token
+    ruff check request_token
 
 [testenv:mypy]
 description = Python source code type hints (mypy)