From 3b60b7f2f062665cf4dd7abf430c19d2bd82e651 Mon Sep 17 00:00:00 2001
From: Joel Stimson <stimsojr@gmail.com>
Date: Wed, 29 Apr 2015 22:56:50 -0700
Subject: [PATCH] Verify that ids coming into teams#show are within bounds that
 can be searched by postgres.

Bounty #454
---
 app/controllers/teams_controller.rb       | 10 +++++++++-
 spec/controllers/teams_controller_spec.rb |  7 +++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/app/controllers/teams_controller.rb b/app/controllers/teams_controller.rb
index 067ddcde..71d37d96 100644
--- a/app/controllers/teams_controller.rb
+++ b/app/controllers/teams_controller.rb
@@ -256,10 +256,18 @@ def team_from_params(opts)
     if opts[:slug].present?
       Team.where(slug: opts[:slug].downcase).first
     else
-      Team.find(opts[:id])
+      if valid_id?(opts[:id])
+        Team.find(opts[:id])
+      else
+        nil
+      end
     end
   end
 
+  def valid_id?(id)
+    id.to_i.to_s == id && id.to_i < 2147483647
+  end
+
   def replace_section(section_name)
     section_name = section_name.tr('-', '_')
     "$('##{section_name}').replaceWith('#{escape_javascript(render(:partial => section_name))}');"
diff --git a/spec/controllers/teams_controller_spec.rb b/spec/controllers/teams_controller_spec.rb
index 040c70b7..b503a77a 100644
--- a/spec/controllers/teams_controller_spec.rb
+++ b/spec/controllers/teams_controller_spec.rb
@@ -59,6 +59,13 @@
       get :show, slug: team.slug, job_id: 'not-a-real-job-slug'
       expect(assigns(:job_page)).to eq(false)
     end
+
+    context 'when searching by an out of bounds or non-integer id' do
+      it 'should render 404' do
+        get :show, id: '54209333547a9e5'
+        expect(response).to have_http_status(404)
+      end
+    end
   end
 
   describe '#create' do