Merge pull request #4680 from tomhughes/validate-page-numbers

Add parameter validation to pagination
2024-05-15 17:43:04 +01:00 · 2024-05-15 17:43:04 +01:00 · ffda8d7ac5
commit ffda8d7ac5
parent 39963d8c70 d8b468e7a1
18 changed files with 181 additions and 0 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -10,6 +10,8 @@ class ApplicationController < ActionController::Base
  rescue_from CanCan::AccessDenied, :with => :deny_access
  check_authorization

+  rescue_from RailsParam::InvalidParameterError, :with => :invalid_parameter
+
  before_action :fetch_body
  around_action :better_errors_allow_inline, :if => proc { Rails.env.development? }

@ -310,6 +312,17 @@ class ApplicationController < ActionController::Base
    end
  end

+  def invalid_parameter(_exception)
+    if request.get?
+      respond_to do |format|
+        format.html { redirect_to :controller => "/errors", :action => "bad_request" }
+        format.any { head :bad_request }
+      end
+    else
+      head :bad_request
+    end
+  end
+
  # extract authorisation credentials from headers, returns user = nil if none
  def auth_data
    if request.env.key? "X-HTTP_AUTHORIZATION" # where mod_rewrite might have put it
--- a/app/controllers/changesets_controller.rb
+++ b/app/controllers/changesets_controller.rb
@ -18,6 +18,8 @@ class ChangesetsController < ApplicationController
  ##
  # list non-empty changesets in reverse chronological order
  def index
+    param! :max_id, Integer, :min => 1
+
    @params = params.permit(:display_name, :bbox, :friends, :nearby, :max_id, :list)

    if request.format == :atom && @params[:max_id]
--- a/app/controllers/concerns/pagination_methods.rb
+++ b/app/controllers/concerns/pagination_methods.rb
@ -6,6 +6,9 @@ module PaginationMethods
  ##
  # limit selected items to one page, get ids of first item before/after the page
  def get_page_items(items, includes: [], limit: 20)
+    param! :before, Integer, :min => 1
+    param! :after, Integer, :min => 1
+
    id_column = "#{items.table_name}.id"
    page_items = if params[:before]
                   items.where("#{id_column} < ?", params[:before]).order(:id => :desc)
--- a/app/controllers/errors_controller.rb
+++ b/app/controllers/errors_controller.rb
@ -5,6 +5,13 @@ class ErrorsController < ApplicationController

  before_action :set_locale

+  def bad_request
+    respond_to do |format|
+      format.html { render :status => :bad_request }
+      format.any { render :status => :bad_request, :plain => "" }
+    end
+  end
+
  def forbidden
    respond_to do |format|
      format.html { render :status => :forbidden }
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@ -16,6 +16,8 @@ class NotesController < ApplicationController
  ##
  # Display a list of notes by a specified user
  def index
+    param! :page, Integer, :min => 1
+
    @params = params.permit(:display_name)
    @title = t ".title", :user => @user.display_name
    @page = (params[:page] || 1).to_i