diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb index b3c60fcaf..98fa1897e 100644 --- a/app/controllers/api/base_controller.rb +++ b/app/controllers/api/base_controller.rb @@ -108,6 +108,10 @@ class Api::BaseController < ApplicationController render json: { error: 'Your login is currently disabled' }, status: 403 if current_user&.account&.unavailable? end + def require_valid_pagination_options! + render json: { error: 'Pagination values for `offset` and `limit` must be positive' }, status: 400 if pagination_options_invalid? + end + def require_user! if !current_user render json: { error: 'This method requires an authenticated user' }, status: 422 @@ -136,6 +140,10 @@ class Api::BaseController < ApplicationController private + def pagination_options_invalid? + params.slice(:limit, :offset).values.map(&:to_i).any?(&:negative?) + end + def respond_with_error(code) render json: { error: Rack::Utils::HTTP_STATUS_CODES[code] }, status: code end diff --git a/app/controllers/api/v2/search_controller.rb b/app/controllers/api/v2/search_controller.rb index 4339bee21..3cfc6e791 100644 --- a/app/controllers/api/v2/search_controller.rb +++ b/app/controllers/api/v2/search_controller.rb @@ -12,6 +12,7 @@ class Api::V2::SearchController < Api::BaseController before_action :query_pagination_error, if: :pagination_requested? before_action :remote_resolve_error, if: :remote_resolve_requested? end + before_action :require_valid_pagination_options! def index @search = Search.new(search_results) diff --git a/spec/requests/api/v2/search_spec.rb b/spec/requests/api/v2/search_spec.rb index d0778cba4..13bcf1798 100644 --- a/spec/requests/api/v2/search_spec.rb +++ b/spec/requests/api/v2/search_spec.rb @@ -40,7 +40,7 @@ describe 'Search API' do end end - context 'with `offset`' do + context 'with valid `offset` value' do let(:params) { { q: 'test1', offset: 1 } } it 'returns http unauthorized' do @@ -50,6 +50,26 @@ describe 'Search API' do end end + context 'with negative `offset` value' do + let(:params) { { q: 'test1', offset: '-100', type: 'accounts' } } + + it 'returns http bad_request' do + get '/api/v2/search', headers: headers, params: params + + expect(response).to have_http_status(400) + end + end + + context 'with negative `limit` value' do + let(:params) { { q: 'test1', limit: '-100', type: 'accounts' } } + + it 'returns http bad_request' do + get '/api/v2/search', headers: headers, params: params + + expect(response).to have_http_status(400) + end + end + context 'with following=true' do let(:params) { { q: 'test', type: 'accounts', following: 'true' } }