From 672adf40b2e13547888a77123d12fb45c71d3370 Mon Sep 17 00:00:00 2001
From: Markus Bucher <bucher@atix.de>
Date: Tue, 3 Dec 2024 17:16:38 +0100
Subject: [PATCH] Fixes #38076 - Sanitize content_view repository_ids param

---
 app/controllers/katello/api/v2/content_views_controller.rb | 5 ++++-
 test/controllers/api/v2/content_views_controller_test.rb   | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/app/controllers/katello/api/v2/content_views_controller.rb b/app/controllers/katello/api/v2/content_views_controller.rb
index a182c1eaa48..62e2e08cd9f 100644
--- a/app/controllers/katello/api/v2/content_views_controller.rb
+++ b/app/controllers/katello/api/v2/content_views_controller.rb
@@ -288,7 +288,10 @@ def view_params
       if (!@content_view || !@content_view.composite?)
         attrs.push({:repository_ids => []}, :repository_ids)
       end
-      params.require(:content_view).permit(*attrs).to_h
+      result = params.require(:content_view).permit(*attrs).to_h
+      # sanitize repository_ids to be a list of integers
+      result[:repository_ids] = result[:repository_ids].map(&:to_i) if result[:repository_ids].present?
+      result
     end
 
     def find_environment
diff --git a/test/controllers/api/v2/content_views_controller_test.rb b/test/controllers/api/v2/content_views_controller_test.rb
index 98cc4e1300e..14bbfca2e87 100644
--- a/test/controllers/api/v2/content_views_controller_test.rb
+++ b/test/controllers/api/v2/content_views_controller_test.rb
@@ -243,8 +243,8 @@ def test_update_repositories_strings
 
       params = { :repository_ids => [repository.id.to_s] }
       assert_sync_task(::Actions::Katello::ContentView::Update) do |_content_view, content_view_params|
-        assert_equal content_view_params.key?(:repository_ids), true
-        assert_equal content_view_params[:repository_ids], params[:repository_ids]
+        assert content_view_params.key?(:repository_ids)
+        assert_equal [repository.id], content_view_params[:repository_ids]
       end
       put :update, params: { :id => @library_dev_staging_view.id, :content_view => params }