From c4eb633d8f013ec3688d241054e336362e2b45b5 Mon Sep 17 00:00:00 2001
From: John Ferlito <johnf@inodes.org>
Date: Sat, 9 Dec 2023 16:04:26 +1100
Subject: [PATCH] Better validation around kaminari parameters

---
 app/controllers/application_controller.rb | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index ff181bf8..395da6f1 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -2,8 +2,21 @@ class ApplicationController < ActionController::Base
   before_action :set_timezone
   before_action :set_access_headers
   before_action :set_sentry_user
+  before_action :validate_per_page_param
 
   private
+  def validate_per_page_param
+    fields = %i[per_page items_page page files_per_page]
+    fields.each do |param|
+      next if params[param].blank?
+
+      value = params[param]
+      unless value.is_a?(Integer) || (value.is_a?(String) && value.match?(/\A\d+\z/))
+        params.delete(param)
+      end
+    end
+  end
+
   rescue_from CanCan::AccessDenied do |exception|
     # If it's a JSON request, give a 40x rather than redirecting them
     case