Add validation for maximum ID passed to changesets#index

tomhughes · Apr 11, 2024 · d8b468e · d8b468e
1 parent e3c43e4
commit d8b468e
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/app/controllers/changesets_controller.rb b/app/controllers/changesets_controller.rb
@@ -18,6 +18,8 @@ class ChangesetsController < ApplicationController
   ##
   # list non-empty changesets in reverse chronological order
   def index
+    param! :max_id, Integer, :min => 1
+
     @params = params.permit(:display_name, :bbox, :friends, :nearby, :max_id, :list)
 
     if request.format == :atom && @params[:max_id]

diff --git a/test/controllers/changesets_controller_test.rb b/test/controllers/changesets_controller_test.rb
@@ -92,6 +92,15 @@ def test_index_xhr
     check_index_result(changesets.last(20))
   end
 
+  ##
+  # This should report an error
+  def test_index_invalid_xhr
+    %w[-1 0 fred].each do |id|
+      get history_path(:format => "html", :list => "1", :max_id => id)
+      assert_redirected_to :controller => :errors, :action => :bad_request
+    end
+  end
+
   ##
   # This should display the last 20 changesets closed in a specific area
   def test_index_bbox