FIX: Validate page/limit params for directory, user-badges and groups (#22877)

We'll now return a 400 error instead of 500. 400 is a better description of the issue, and also avoids creating unnecessary noise in the logs.
2025-05-28 13:51:18 +08:00 · 2023-07-31 15:00:05 +01:00
parent 984dd89cb4
commit 6e8e3c3151
7 changed files with 51 additions and 12 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -1086,18 +1086,29 @@ class ApplicationController < ActionController::Base
  end

  def fetch_limit_from_params(params: self.params, default:, max:)
-    raise "default limit cannot be greater than max limit" if default.present? && default > max
+    fetch_int_from_params(:limit, params: params, default: default, max: max)
+  end

-    if params.has_key?(:limit)
-      limit =
+  def fetch_int_from_params(key, params: self.params, default:, min: 0, max: nil)
+    key = key.to_sym
+
+    if default.present? && ((max.present? && default > max) || (min.present? && default < min))
+      raise "default #{key.inspect} is not between #{min.inspect} and #{max.inspect}"
+    end
+
+    if params.has_key?(key)
+      value =
        begin
-          Integer(params[:limit])
+          Integer(params[key])
        rescue ArgumentError
-          raise Discourse::InvalidParameters.new(:limit)
+          raise Discourse::InvalidParameters.new(key)
        end

-      raise Discourse::InvalidParameters.new(:limit) if limit < 0 || limit > max
-      limit
+      if (min.present? && value < min) || (max.present? && value > max)
+        raise Discourse::InvalidParameters.new(key)
+      end
+
+      value
    else
      default
    end