From 0f92b412f4b5ab0783fb6095d476da7894de02b2 Mon Sep 17 00:00:00 2001
From: Peter Bengtsson <peterbe@github.com>
Date: Fri, 9 Jun 2023 08:45:19 -0400
Subject: [PATCH] Trap survey honeypot GET requests (#37643)

---
 .../middleware/handle-invalid-query-strings.js         | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/observability/middleware/handle-invalid-query-strings.js b/src/observability/middleware/handle-invalid-query-strings.js
index 2e14931790..1ca0b8faf1 100644
--- a/src/observability/middleware/handle-invalid-query-strings.js
+++ b/src/observability/middleware/handle-invalid-query-strings.js
@@ -46,10 +46,16 @@ export default function handleInvalidQuerystrings(req, res, next) {
       }
     }
 
-    if (keys.length >= MAX_UNFAMILIAR_KEYS_BAD_REQUEST) {
+    // If you fill out the Survey form with all the fields and somehow
+    // don't attempt to make a POST request, you'll end up with a query
+    // string like this.
+    const honeypotted = 'survey-token' in query && 'survey-vote' in query
+
+    if (keys.length >= MAX_UNFAMILIAR_KEYS_BAD_REQUEST || honeypotted) {
       noCacheControl(res)
 
-      res.status(400).send('Too many unrecognized query string parameters')
+      const message = honeypotted ? 'Honeypotted' : 'Too many unrecognized query string parameters'
+      res.status(400).send(message)
 
       const tags = [
         'response:400',