6887ae4087
Ran a claude /security-review, fixed two vulnerabilities Use a plug to resolve blog_id, returning a clean 404 for unknown blogs instead of raising with inspect(). Parse page param with Integer.parse so invalid values (non-numeric, negative, zero) fall back to page 1 instead of crashing. Add 5 tests covering these cases.a
68 lines
1.5 KiB
Elixir
68 lines
1.5 KiB
Elixir
defmodule FirehoseWeb.BlogController do
|
|
use FirehoseWeb, :controller
|
|
|
|
plug :resolve_blog
|
|
|
|
def index(conn, params) do
|
|
blog = conn.assigns.blog
|
|
page = parse_page(params["page"])
|
|
result = blog.paginate(page)
|
|
|
|
render(conn, :index,
|
|
page_title: blog.title(),
|
|
blog_title: blog.title(),
|
|
blog_description: blog.description(),
|
|
posts: result.entries,
|
|
base_path: blog.base_path(),
|
|
page: result.page,
|
|
total_pages: result.total_pages
|
|
)
|
|
end
|
|
|
|
def show(conn, %{"slug" => slug}) do
|
|
blog = conn.assigns.blog
|
|
post = blog.get_post!(slug)
|
|
|
|
render(conn, :show,
|
|
page_title: post.title,
|
|
post: post,
|
|
base_path: blog.base_path()
|
|
)
|
|
end
|
|
|
|
def tag(conn, %{"tag" => tag}) do
|
|
blog = conn.assigns.blog
|
|
posts = blog.posts_by_tag(tag)
|
|
|
|
render(conn, :tag,
|
|
page_title: "#{blog.title()} — #{tag}",
|
|
blog_title: blog.title(),
|
|
tag: tag,
|
|
posts: posts,
|
|
base_path: blog.base_path()
|
|
)
|
|
end
|
|
|
|
defp resolve_blog(%{params: %{"blog_id" => "engineering"}} = conn, _opts),
|
|
do: assign(conn, :blog, Firehose.EngineeringBlog)
|
|
|
|
defp resolve_blog(%{params: %{"blog_id" => "releases"}} = conn, _opts),
|
|
do: assign(conn, :blog, Firehose.ReleaseNotes)
|
|
|
|
defp resolve_blog(conn, _opts) do
|
|
conn
|
|
|> put_status(:not_found)
|
|
|> put_view(FirehoseWeb.ErrorHTML)
|
|
|> render(:"404")
|
|
|> halt()
|
|
end
|
|
|
|
defp parse_page(nil), do: 1
|
|
defp parse_page(str) do
|
|
case Integer.parse(str) do
|
|
{page, ""} when page > 0 -> page
|
|
_ -> 1
|
|
end
|
|
end
|
|
end
|