From f8360f96654775f10a2bb71948873ed19820f0be Mon Sep 17 00:00:00 2001 From: Ted Johansson Date: Fri, 18 Oct 2024 14:37:52 +0800 Subject: [PATCH] FIX: Don't error out on nested topic show id param (#29274) We're expecting the ID param to be something that neatly coerces into an ID. If we receive something like a nested parameter, this will blow up. (We already handle the case of arrays.) This commit raises an InvalidParameters exception in the case of a nested ID. --- app/controllers/topics_controller.rb | 2 +- spec/requests/topics_controller_spec.rb | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/app/controllers/topics_controller.rb b/app/controllers/topics_controller.rb index cd4c1224f09..f755f6eb2e5 100644 --- a/app/controllers/topics_controller.rb +++ b/app/controllers/topics_controller.rb @@ -51,7 +51,7 @@ class TopicsController < ApplicationController end def show - if params[:id].is_a?(Array) + if params[:id].is_a?(Array) || params[:id].is_a?(ActionController::Parameters) raise Discourse::InvalidParameters.new("Show only accepts a single ID") end diff --git a/spec/requests/topics_controller_spec.rb b/spec/requests/topics_controller_spec.rb index c36cff13727..d8b375ee67f 100644 --- a/spec/requests/topics_controller_spec.rb +++ b/spec/requests/topics_controller_spec.rb @@ -2344,6 +2344,12 @@ RSpec.describe TopicsController do expect(response.status).to eq(400) end + it "does not raise an unhandled exception when receiving a nested ID parameter" do + get "/t/#{topic.id}/summary?id[foo]=a" + + expect(response.status).to eq(400) + end + it "keeps the post_number parameter around when redirecting" do get "/t/#{topic.slug}", params: { post_number: 42 } expect(response).to redirect_to(topic.relative_url + "/42")