rest: Return a 400 for invalid render IDs

Why:

- The REST API takes an optional renderid param when converting HTML
  back to source wikitext, which is user-provided and may be invalid.
- Invalid render IDs cause an InvalidArgumentException to be thrown that
  causes a 500 response.

What:

- Introduce a new error message for invalid render IDs in the REST API.
- Return a 400 with this new error message for HTML reverse-parses with
  an invalid render ID.

Bug: T385568
Change-Id: I062419fe8952329a39781a49cdca2e94c3996447

1 files changed, 8 insertions, 1 deletions

diff --git a/includes/Rest/Handler/Helper/HtmlInputTransformHelper.php b/includes/Rest/Handler/Helper/HtmlInputTransformHelper.php
index de2126e975d1..3a9457db9397 100644
--- a/includes/Rest/Handler/Helper/HtmlInputTransformHelper.php
+++ b/includes/Rest/Handler/Helper/HtmlInputTransformHelper.php
@@ -370,7 +370,14 @@ class HtmlInputTransformHelper {
 					throw new LocalizedHttpException( new MessageValue( "rest-bad-etag", [ $key ] ), 400 );
 				}
 			} else {
-				$originalRendering = ParsoidRenderID::newFromKey( $key );
+				try {
+					$originalRendering = ParsoidRenderID::newFromKey( $key );
+				} catch ( InvalidArgumentException $e ) {
+					throw new LocalizedHttpException(
+						new MessageValue( 'rest-parsoid-bad-render-id', [ $key ] ),
+						400
+					);
+				}
 			}
 		} elseif ( !empty( $original['html'] ) || !empty( $original['data-parsoid'] ) ) {
 			// NOTE: We might have an incomplete PageBundle here, with no HTML but with data-parsoid!