From d8b468e7a1a2c4c93c57cbf876c19e05aa7ad71a Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 11 Apr 2024 09:23:06 +0100
Subject: [PATCH] Add validation for maximum ID passed to changesets#index

---
 app/controllers/changesets_controller.rb       | 2 ++
 test/controllers/changesets_controller_test.rb | 9 +++++++++
 2 files changed, 11 insertions(+)

diff --git a/app/controllers/changesets_controller.rb b/app/controllers/changesets_controller.rb
index 3ea5fb64e..757664b58 100644
--- a/app/controllers/changesets_controller.rb
+++ b/app/controllers/changesets_controller.rb
@@ -18,6 +18,8 @@ class ChangesetsController < ApplicationController
   ##
   # list non-empty changesets in reverse chronological order
   def index
+    param! :max_id, Integer, :min => 1
+
     @params = params.permit(:display_name, :bbox, :friends, :nearby, :max_id, :list)
 
     if request.format == :atom && @params[:max_id]
diff --git a/test/controllers/changesets_controller_test.rb b/test/controllers/changesets_controller_test.rb
index 1fd9de2e8..44022ba20 100644
--- a/test/controllers/changesets_controller_test.rb
+++ b/test/controllers/changesets_controller_test.rb
@@ -92,6 +92,15 @@ class ChangesetsControllerTest < ActionDispatch::IntegrationTest
     check_index_result(changesets.last(20))
   end
 
+  ##
+  # This should report an error
+  def test_index_invalid_xhr
+    %w[-1 0 fred].each do |id|
+      get history_path(:format => "html", :list => "1", :max_id => id)
+      assert_redirected_to :controller => :errors, :action => :bad_request
+    end
+  end
+
   ##
   # This should display the last 20 changesets closed in a specific area
   def test_index_bbox
-- 
2.39.5