DEV - handle malformed `page` param (#11093)

* DEV - handle malformed page params

app/controllers/search_controller.rb

@@ -11,7 +11,8 @@ class SearchController < ApplicationController
   end
 
   def show
-    @search_term = params.permit(:q)[:q]
+    permitted_params = params.permit(:q, :page)
+    @search_term = permitted_params[:q]
 
     # a q param has been given but it's not in the correct format
     # eg: ?q[foo]=bar
@@ -28,6 +29,12 @@ class SearchController < ApplicationController
       raise Discourse::InvalidParameters.new("string contains null byte")
     end
 
+    page = permitted_params[:page]
+    # check for a malformed page parameter
+    if page && (!page.is_a?(String) || page.to_i.to_s != page)
+      raise Discourse::InvalidParameters
+    end
+
     rate_limit_errors = rate_limit_search
 
     discourse_expires_in 1.minute
@@ -36,8 +43,8 @@ class SearchController < ApplicationController
       type_filter: 'topic',
       guardian: guardian,
       blurb_length: 300,
-      page: if params[:page].to_i <= 10
-              [params[:page].to_i, 1].max
+      page: if page.to_i <= 10
+              [page.to_i, 1].max
             end
     }
 

spec/requests/search_controller_spec.rb

@@ -330,6 +330,21 @@ describe SearchController do
       expect(response.status).to eq(400)
     end
 
+    it "doesn't raise an error if the page is a string number" do
+      get "/search.json", params: { q: 'kittens', page: '3' }
+      expect(response.status).to eq(200)
+    end
+
+    it "doesn't raise an error if the page is a integer number" do
+      get "/search.json", params: { q: 'kittens', page: 3 }
+      expect(response.status).to eq(200)
+    end
+
+    it "returns a 400 error if the page parameter is invalid" do
+      get "/search.json?page=xawesome%27\"</a\&"
+      expect(response.status).to eq(400)
+    end
+
     it "logs the search term" do
       SiteSetting.log_search_queries = true
       get "/search.json", params: { q: 'bantha' }