From 9ff7f25106660f8216f2cab4c6e556ec3312006e Mon Sep 17 00:00:00 2001
From: jbrw <jamie@goatforce5.org>
Date: Mon, 2 Nov 2020 12:40:54 -0500
Subject: [PATCH] DEV - handle malformed `page` param (#11093)

* DEV - handle malformed page params
---
 app/controllers/search_controller.rb    | 13 ++++++++++---
 spec/requests/search_controller_spec.rb | 15 +++++++++++++++
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index ee64025a7ab..c909fc09145 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -11,7 +11,8 @@ class SearchController < ApplicationController
   end
 
   def show
-    @search_term = params.permit(:q)[:q]
+    permitted_params = params.permit(:q, :page)
+    @search_term = permitted_params[:q]
 
     # a q param has been given but it's not in the correct format
     # eg: ?q[foo]=bar
@@ -28,6 +29,12 @@ class SearchController < ApplicationController
       raise Discourse::InvalidParameters.new("string contains null byte")
     end
 
+    page = permitted_params[:page]
+    # check for a malformed page parameter
+    if page && (!page.is_a?(String) || page.to_i.to_s != page)
+      raise Discourse::InvalidParameters
+    end
+
     rate_limit_errors = rate_limit_search
 
     discourse_expires_in 1.minute
@@ -36,8 +43,8 @@ class SearchController < ApplicationController
       type_filter: 'topic',
       guardian: guardian,
       blurb_length: 300,
-      page: if params[:page].to_i <= 10
-              [params[:page].to_i, 1].max
+      page: if page.to_i <= 10
+              [page.to_i, 1].max
             end
     }
 
diff --git a/spec/requests/search_controller_spec.rb b/spec/requests/search_controller_spec.rb
index a407eef8d1c..0988c061179 100644
--- a/spec/requests/search_controller_spec.rb
+++ b/spec/requests/search_controller_spec.rb
@@ -330,6 +330,21 @@ describe SearchController do
       expect(response.status).to eq(400)
     end
 
+    it "doesn't raise an error if the page is a string number" do
+      get "/search.json", params: { q: 'kittens', page: '3' }
+      expect(response.status).to eq(200)
+    end
+
+    it "doesn't raise an error if the page is a integer number" do
+      get "/search.json", params: { q: 'kittens', page: 3 }
+      expect(response.status).to eq(200)
+    end
+
+    it "returns a 400 error if the page parameter is invalid" do
+      get "/search.json?page=xawesome%27\"</a\&"
+      expect(response.status).to eq(400)
+    end
+
     it "logs the search term" do
       SiteSetting.log_search_queries = true
       get "/search.json", params: { q: 'bantha' }