From 72cdd8d415ae3f797c0d5e2c857370714a42c54a Mon Sep 17 00:00:00 2001
From: Krzysztof Kotlarek <kotlarek.krzysztof@gmail.com>
Date: Mon, 27 Sep 2021 14:52:27 +1000
Subject: [PATCH] FIX: ignore category filter when incorrect param (#59)

Category filter accepts ids of categories. If value is manipulated, we should ignore it.
---
 lib/docs/query.rb                     |  3 ++-
 spec/requests/docs_controller_spec.rb | 14 ++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/lib/docs/query.rb b/lib/docs/query.rb
index dbc1758..12396ef 100644
--- a/lib/docs/query.rb
+++ b/lib/docs/query.rb
@@ -27,7 +27,8 @@ module Docs
 
       # filter results by selected category
       if @filters[:category].present?
-        results = results.where('topics.category_id IN (?)', @filters[:category].split('|'))
+        category_ids = @filters[:category].split('|')
+        results = results.where('topics.category_id IN (?)', category_ids) if category_ids.all? { |id| id =~ /\A\d+\z/ }
       end
 
       # filter results by selected tags
diff --git a/spec/requests/docs_controller_spec.rb b/spec/requests/docs_controller_spec.rb
index 6562066..75d4b45 100644
--- a/spec/requests/docs_controller_spec.rb
+++ b/spec/requests/docs_controller_spec.rb
@@ -120,6 +120,20 @@ describe Docs::DocsController do
         expect(categories.size).to eq(1)
         expect(topics.size).to eq(1)
       end
+
+      it 'ignores category filter when incorrect argument' do
+        get "/docs.json?category=hack"
+
+        expect(response.status).to eq(200)
+
+        json = JSON.parse(response.body)
+        categories = json['categories']
+        topics = json['topics']['topic_list']['topics']
+
+        expect(categories.size).to eq(2)
+        expect(topics.size).to eq(3)
+
+      end
     end
 
     context 'when ordering results' do