From 72cdd8d415ae3f797c0d5e2c857370714a42c54a Mon Sep 17 00:00:00 2001 From: Krzysztof Kotlarek Date: Mon, 27 Sep 2021 14:52:27 +1000 Subject: [PATCH] FIX: ignore category filter when incorrect param (#59) Category filter accepts ids of categories. If value is manipulated, we should ignore it. --- lib/docs/query.rb | 3 ++- spec/requests/docs_controller_spec.rb | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/lib/docs/query.rb b/lib/docs/query.rb index dbc1758..12396ef 100644 --- a/lib/docs/query.rb +++ b/lib/docs/query.rb @@ -27,7 +27,8 @@ module Docs # filter results by selected category if @filters[:category].present? - results = results.where('topics.category_id IN (?)', @filters[:category].split('|')) + category_ids = @filters[:category].split('|') + results = results.where('topics.category_id IN (?)', category_ids) if category_ids.all? { |id| id =~ /\A\d+\z/ } end # filter results by selected tags diff --git a/spec/requests/docs_controller_spec.rb b/spec/requests/docs_controller_spec.rb index 6562066..75d4b45 100644 --- a/spec/requests/docs_controller_spec.rb +++ b/spec/requests/docs_controller_spec.rb @@ -120,6 +120,20 @@ describe Docs::DocsController do expect(categories.size).to eq(1) expect(topics.size).to eq(1) end + + it 'ignores category filter when incorrect argument' do + get "/docs.json?category=hack" + + expect(response.status).to eq(200) + + json = JSON.parse(response.body) + categories = json['categories'] + topics = json['topics']['topic_list']['topics'] + + expect(categories.size).to eq(2) + expect(topics.size).to eq(3) + + end end context 'when ordering results' do