From da3b68f9be0454ea745417763b0bf703d6993e4f Mon Sep 17 00:00:00 2001 From: Bianca Nenciu Date: Mon, 16 Jan 2023 19:20:19 +0200 Subject: [PATCH] FIX: Validate tags parameter of TopicQuery (#19830) Recently, we have seen some errors related to invalid tags value being passed to TopicQuery. --- lib/topic_query.rb | 9 +++++++-- spec/requests/list_controller_spec.rb | 6 ++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/lib/topic_query.rb b/lib/topic_query.rb index 5b33a15fbed..cd3ce275080 100644 --- a/lib/topic_query.rb +++ b/lib/topic_query.rb @@ -15,10 +15,15 @@ class TopicQuery @validators ||= begin int = lambda { |x| Integer === x || (String === x && x.match?(/^-?[0-9]+$/)) } - zero_up_to_max_int = lambda { |x| int.call(x) && x.to_i.between?(0, PG_MAX_INT) } + array_or_string = lambda { |x| Array === x || String === x } - { max_posts: zero_up_to_max_int, min_posts: zero_up_to_max_int, page: zero_up_to_max_int } + { + max_posts: zero_up_to_max_int, + min_posts: zero_up_to_max_int, + page: zero_up_to_max_int, + tags: array_or_string, + } end end diff --git a/spec/requests/list_controller_spec.rb b/spec/requests/list_controller_spec.rb index 9307d13353e..547e0573139 100644 --- a/spec/requests/list_controller_spec.rb +++ b/spec/requests/list_controller_spec.rb @@ -30,6 +30,9 @@ RSpec.describe ListController do get "/latest?page=1111111111111111111111111111111111111111" expect(response.status).to eq(400) + + get "/latest?tags[1]=hello" + expect(response.status).to eq(400) end it "returns 200 for legit requests" do @@ -59,6 +62,9 @@ RSpec.describe ListController do get "/latest.json?topic_ids=14583%2C14584" expect(response.status).to eq(200) + + get "/latest?tags[]=hello" + expect(response.status).to eq(200) end (Discourse.anonymous_filters - [:categories]).each do |filter|