bad query params to #range_limit action should not result in uncaught exception

jrochkind · jrochkind · commit 1455ed965ee2 · 2024-12-03T19:20:05.000-05:00
diff --git a/lib/blacklight_range_limit/range_limit_builder.rb b/lib/blacklight_range_limit/range_limit_builder.rb
@@ -48,6 +48,11 @@ def add_range_limit_params(solr_params)
     # range_field, range_start, range_end
     def fetch_specific_range_limit(solr_params)
       field_key = blacklight_params[:range_field] # what field to fetch for
+
+      unless  blacklight_params[:range_start].present? && blacklight_params[:range_end].present?
+        raise BlacklightRangeLimit::InvalidRange
+      end
+
       start = blacklight_params[:range_start].to_i
       finish = blacklight_params[:range_end].to_i
 
@@ -61,6 +66,9 @@ def fetch_specific_range_limit(solr_params)
       solr_params[:rows] = 0
 
       return solr_params
+    rescue BlacklightRangeLimit::InvalidRange
+      # This will make Rails return a 400
+      raise ActionController::BadRequest, "invalid range_start (#{blacklight_params[:range_start]}) or range_end (#{blacklight_params[:range_end]})"
     end
 
     # hacky polyfill for new Blacklight behavior we need, if we don't have it yet
diff --git a/spec/controllers/range_limit_action_method_spec.rb b/spec/controllers/range_limit_action_method_spec.rb
@@ -0,0 +1,59 @@
+require 'spec_helper'
+
+RSpec.describe CatalogController,  type: :controller do
+  describe "bad params" do
+    let (:facet_field) { "pub_date_si" }
+
+    it "BadRequest without start param present" do
+      expect {
+        get :range_limit, params: {
+          "range_field"=> facet_field,
+          "range_start"=>"1931"
+        }
+      }.to raise_error(ActionController::BadRequest)
+    end
+
+    it "BadRequest without end param" do
+      expect {
+        get :range_limit, params: {
+          "range_field"=> facet_field,
+          "range_start"=>"1931"
+        }
+      }.to raise_error(ActionController::BadRequest)
+    end
+
+    it "BadRequest without either boundary" do
+      expect {
+        get :range_limit, params: {
+          "range_field"=> facet_field,
+        }
+      }.to raise_error(ActionController::BadRequest)
+    end
+
+    it "NotFound without a range_field" do
+      expect {
+        get :range_limit, params: {}
+      }.to raise_error(ActionController::RoutingError)
+    end
+
+    it "BadRequest if params out of order" do
+      expect {
+        get :range_limit, params: {
+          "range_field"=> facet_field,
+          "range_start"=>"1940",
+          "range_end"=>"1930"
+        }
+      }.to raise_error(ActionController::BadRequest)
+    end
+
+    it "BadRequest if one of the params is an array" do
+      expect {
+        get :range_limit, params: {
+          "range_field"=> facet_field,
+          "range_start"=>"1931",
+          "range_end"=>["1940"]
+        }
+      }.to raise_error(ActionController::BadRequest)
+    end
+  end
+end
