From 5d887a37bf9f4687724edf5b2760ed67e6fdb0b9 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 11 Apr 2024 08:46:40 +0100
Subject: [PATCH] Add validation for page number passed to notes#index

---
 app/controllers/notes_controller.rb       | 2 ++
 test/controllers/notes_controller_test.rb | 9 +++++++++
 2 files changed, 11 insertions(+)

diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb
index 97efc3eda..26d27692e 100644
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@@ -16,6 +16,8 @@ class NotesController < ApplicationController
   ##
   # Display a list of notes by a specified user
   def index
+    param! :page, Integer, :min => 1
+
     @params = params.permit(:display_name)
     @title = t ".title", :user => @user.display_name
     @page = (params[:page] || 1).to_i
diff --git a/test/controllers/notes_controller_test.rb b/test/controllers/notes_controller_test.rb
index e68a5f33b..c778f41c2 100644
--- a/test/controllers/notes_controller_test.rb
+++ b/test/controllers/notes_controller_test.rb
@@ -83,6 +83,15 @@ class NotesControllerTest < ActionDispatch::IntegrationTest
     assert_select "table.note_list tbody tr", :count => 10
   end
 
+  def test_index_invalid_paged
+    user = create(:user)
+
+    %w[-1 0 fred].each do |page|
+      get user_notes_path(user, :page => page)
+      assert_redirected_to :controller => :errors, :action => :bad_request
+    end
+  end
+
   def test_empty_page
     user = create(:user)
     get user_notes_path(user)
-- 
2.39.5