From 4f74fe3186d26ec3ceab34b5e86ec7bd9d5954fb Mon Sep 17 00:00:00 2001
From: Jonathan Rochkind <jonathan@dnil.net>
Date: Tue, 3 Dec 2024 19:20:05 -0500
Subject: [PATCH 1/2] bad query params to #range_limit action should not result
 in uncaught exception

Note that raising these specific excpetions will be automatically turned by rails into BadRequest => http 400, and NotFound => http 404 response.
---
 .../range_limit_builder.rb                    |  8 +++
 .../range_limit_action_method_spec.rb         | 61 +++++++++++++++++++
 2 files changed, 69 insertions(+)
 create mode 100644 spec/controllers/range_limit_action_method_spec.rb

diff --git a/lib/blacklight_range_limit/range_limit_builder.rb b/lib/blacklight_range_limit/range_limit_builder.rb
index 8c3c00e..15e63ba 100644
--- a/lib/blacklight_range_limit/range_limit_builder.rb
+++ b/lib/blacklight_range_limit/range_limit_builder.rb
@@ -48,6 +48,11 @@ def add_range_limit_params(solr_params)
     # range_field, range_start, range_end
     def fetch_specific_range_limit(solr_params)
       field_key = blacklight_params[:range_field] # what field to fetch for
+
+      unless  blacklight_params[:range_start].present? && blacklight_params[:range_end].present?
+        raise BlacklightRangeLimit::InvalidRange
+      end
+
       start = blacklight_params[:range_start].to_i
       finish = blacklight_params[:range_end].to_i
 
@@ -61,6 +66,9 @@ def fetch_specific_range_limit(solr_params)
       solr_params[:rows] = 0
 
       return solr_params
+    rescue BlacklightRangeLimit::InvalidRange
+      # This will make Rails return a 400
+      raise ActionController::BadRequest, "invalid range_start (#{blacklight_params[:range_start]}) or range_end (#{blacklight_params[:range_end]})"
     end
 
     # hacky polyfill for new Blacklight behavior we need, if we don't have it yet
diff --git a/spec/controllers/range_limit_action_method_spec.rb b/spec/controllers/range_limit_action_method_spec.rb
new file mode 100644
index 0000000..c43ed51
--- /dev/null
+++ b/spec/controllers/range_limit_action_method_spec.rb
@@ -0,0 +1,61 @@
+require 'spec_helper'
+
+RSpec.describe CatalogController,  type: :controller do
+  # Note that ActionController::BadRequest is caught by rails and turned into a 400
+  # response, and ActionController::RoutingError is caught by raisl and turned into 404
+  describe "bad params" do
+    let (:facet_field) { "pub_date_si" }
+
+    it "without start param present raise BadRequest " do
+      expect {
+        get :range_limit, params: {
+          "range_field"=> facet_field,
+          "range_start"=>"1931"
+        }
+      }.to raise_error(ActionController::BadRequest)
+    end
+
+    it "without end param raise BadRequest " do
+      expect {
+        get :range_limit, params: {
+          "range_field"=> facet_field,
+          "range_start"=>"1931"
+        }
+      }.to raise_error(ActionController::BadRequest)
+    end
+
+    it "without either boundary raise BadRequest" do
+      expect {
+        get :range_limit, params: {
+          "range_field"=> facet_field,
+        }
+      }.to raise_error(ActionController::BadRequest)
+    end
+
+    it "without a range_field raise RoutingError" do
+      expect {
+        get :range_limit, params: {}
+      }.to raise_error(ActionController::RoutingError)
+    end
+
+    it "with params out of order raise BadRequest"  do
+      expect {
+        get :range_limit, params: {
+          "range_field"=> facet_field,
+          "range_start"=>"1940",
+          "range_end"=>"1930"
+        }
+      }.to raise_error(ActionController::BadRequest)
+    end
+
+    it "with one of the params is an array raise BadRequest" do
+      expect {
+        get :range_limit, params: {
+          "range_field"=> facet_field,
+          "range_start"=>"1931",
+          "range_end"=>["1940"]
+        }
+      }.to raise_error(ActionController::BadRequest)
+    end
+  end
+end

From c7769415a4e79523d6d43b109036cc65238fafcf Mon Sep 17 00:00:00 2001
From: Jonathan Rochkind <jonathan@dnil.net>
Date: Tue, 3 Dec 2024 19:47:04 -0500
Subject: [PATCH 2/2] catch more bad params in BL 7 too

---
 lib/blacklight_range_limit/range_limit_builder.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/blacklight_range_limit/range_limit_builder.rb b/lib/blacklight_range_limit/range_limit_builder.rb
index 15e63ba..e13066b 100644
--- a/lib/blacklight_range_limit/range_limit_builder.rb
+++ b/lib/blacklight_range_limit/range_limit_builder.rb
@@ -49,7 +49,8 @@ def add_range_limit_params(solr_params)
     def fetch_specific_range_limit(solr_params)
       field_key = blacklight_params[:range_field] # what field to fetch for
 
-      unless  blacklight_params[:range_start].present? && blacklight_params[:range_end].present?
+      unless  blacklight_params[:range_start].present? && blacklight_params[:range_start].kind_of?(String) &&
+              blacklight_params[:range_end].present? && blacklight_params[:range_end].kind_of?(String)
         raise BlacklightRangeLimit::InvalidRange
       end