discourse/spec/requests
Ted Johansson 07f87ff7a8
DEV: Strictly filter tag search limit parameter input (#21524)
### What is the problem?

It is possible to pass an arbitrary value to the limit parameter in `TagsController#search`, and have it flow through `DiscourseTagging.filter_allowed_tags` where it will raise an error deep in the database driver. MiniSql ensures there's no injection happening, but that ultimately results in an invalid query.

### How does this fix it?

This change checks more strictly that the parameter can be cleanly converted to an integer by replacing the loose `#to_i` conversion semantics with the stronger `Kernel#Integer` ones.

**Example:**

```ruby
"1; SELECT 1".to_i
#=> 1

Integer("1; SELECT 1")
#=> ArgumentError
```

As part of the change, I also went ahead to disallow a limit of "0", as that doesn't seem to be a useful option. Previously only negative limits were disallowed.
2023-05-12 16:49:14 +08:00
..
admin DEV: Add configurable? helper to Plugin::Instance (#21472) 2023-05-10 16:21:48 +03:00
api FIX: Create invite api docs (#21460) 2023-05-09 13:20:46 -06:00
about_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
application_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
associate_accounts_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
badges_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
bookmarks_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
bootstrap_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
categories_controller_spec.rb FIX: TopicQuery for NULL category.topic_id (#20664) 2023-03-13 19:33:26 +00:00
clicks_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
composer_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
composer_messages_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
csp_reports_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
directory_columns_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
directory_items_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
do_not_disturb_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
drafts_controller_spec.rb FIX: Don't render error for bad-sequence (#21187) 2023-04-20 10:26:11 -05:00
email_controller_spec.rb FIX: Unsubscribing via key associated with deleted topic (#20275) 2023-02-16 10:47:01 +00:00
embed_controller_spec.rb FEATURE: Update topic/comment embedding parameters (#20181) 2023-02-28 14:31:59 +02:00
exceptions_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
export_csv_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
extra_locales_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
finish_installation_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
forums_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
groups_controller_spec.rb SECURITY: Limit the character count of group membership requests (#19993) 2023-01-25 13:50:33 +02:00
hashtags_controller_spec.rb FIX: Category hashtags weren't always found for sub-sub-categories (#20156) 2023-02-03 12:17:52 +01:00
inline_onebox_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
invites_controller_spec.rb FIX: Display a proper error when user already exists and email addresses are hidden. (#20585) 2023-03-08 12:38:58 -03:00
list_controller_spec.rb DEV: Support excluding categories with the category: filter (#21432) 2023-05-08 14:04:47 +08:00
metadata_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
notifications_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
offline_controller_spec.rb Add RSpec 4 compatibility (#17652) 2022-07-28 10:27:38 +08:00
omniauth_callbacks_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
onebox_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
permalinks_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
post_action_users_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
post_actions_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
post_readers_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
posts_controller_spec.rb DEV: Only allow expanding hidden posts for author and staff (#21052) 2023-04-25 13:37:29 +08:00
presence_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
published_pages_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
push_notification_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
qunit_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
reviewable_claimed_topics_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
reviewables_controller_spec.rb FEATURE: Allow admins to delete reviewables via API (#21174) 2023-04-20 09:38:41 -05:00
robots_txt_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
safe_mode_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
search_controller_spec.rb DEV: Disable SearchIndexer after fabrication (#21378) 2023-05-04 09:20:52 +08:00
session_controller_spec.rb FEATURE: add a setting to allowlist DiscourseConnect return path domains (#21110) 2023-04-17 22:53:50 +05:30
sidebar_sections_controller_spec.rb DEV: move sidebar community section to database (#21166) 2023-05-04 12:14:09 +10:00
similar_topics_controller_spec.rb DEV: Disable SearchIndexer after fabrication (#21378) 2023-05-04 09:20:52 +08:00
site_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
sitemap_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
slugs_controller_spec.rb DEV: fix a flakey spec in slugs_controller (#20350) 2023-02-17 18:56:25 +01:00
static_controller_spec.rb DEV: Update the rubocop setup (#20668) 2023-03-14 11:42:11 +01:00
steps_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
stylesheets_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
svg_sprite_controller_spec.rb FIX: IconPicker option to display only available icons (#20235) 2023-02-13 09:24:47 +11:00
tag_groups_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
tags_controller_spec.rb DEV: Strictly filter tag search limit parameter input (#21524) 2023-05-12 16:49:14 +08:00
theme_javascripts_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
topics_controller_spec.rb UX: Improve error message when a topic cannot be moved due to category restrictions (#20900) 2023-03-31 02:18:57 +08:00
uploads_controller_multisite_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
uploads_controller_spec.rb DEV: Change external upload rate limit maximums to settings (#20577) 2023-03-08 15:27:17 +10:00
user_actions_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
user_api_keys_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
user_avatars_controller_spec.rb Adjust user avatar redirect cache-control header (#20291) 2023-02-15 09:13:19 +00:00
user_badges_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
user_status_controller_spec.rb DEV: Fix user_status_controller_spec flakiness (#20083) 2023-01-30 22:42:47 +00:00
users_controller_spec.rb FEATURE: Only list watching group messages in messages notifications panel (#20630) 2023-03-13 08:09:38 +08:00
users_email_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
webhooks_controller_spec.rb FEATURE: Verify email webhook signatures (#19690) 2023-01-16 19:16:17 +02:00
wizard_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00