sanitize pagination query in history view

Author: vladak

opengrok-indexer/src/main/java/org/opengrok/indexer/web/Laundromat.java

@@ -19,6 +19,7 @@
 
 /*
  * Copyright (c) 2020, Chris Fraire <[email protected]>.
+ * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
  */
 package org.opengrok.indexer.web;
 
@@ -72,6 +73,17 @@ public static String launderRevision(String value) {
         return replaceAll(value, "[^a-zA-Z0-9:]", "");
     }
 
+    /**
+     * Sanitize {@code value} where it will be used in subsequent OpenGrok
+     * (non-logging) processing. The value is assumed to represent a pagination query string,
+     * e.g. {@code n=25&start=25}
+     * @return {@code null} if null or else {@code value} with anything besides
+     * alphanumeric or {@code &}, {@code =} characters removed.
+     */
+    public static String launderPaginationQuery(String value) {
+        return replaceAll(value, "[^a-zA-Z0-9=&]", "");
+    }
+
     /**
      * Sanitize {@code value} where it will be used in subsequent OpenGrok
      * (non-logging) processing. The value is assumed to represent URI path,

opengrok-indexer/src/test/java/org/opengrok/indexer/web/LaundromatTest.java

@@ -86,6 +86,17 @@ void testLaunderUriPath(Pair<String, String> param) {
         assertEquals(param.getLeft(), param.getRight());
     }
 
+    private static Stream<Pair<String, String>> getParamsForTestLaunderPaginationQuery() {
+        return Stream.of(Pair.of("foo=bar", Laundromat.launderPaginationQuery("?foo=/bar")),
+                Pair.of("foo=bar&1=2", Laundromat.launderPaginationQuery("foo=bar&1=2")));
+    }
+
+    @ParameterizedTest
+    @MethodSource("getParamsForTestLaunderPaginationQuery")
+    void testLaunderPaginationQuery(Pair<String, String> param) {
+        assertEquals(param.getLeft(), param.getRight());
+    }
+
     @Test
     void launderLogMap() {
         HashMap<String, String[]> testMap = new HashMap<>();

opengrok-web/src/main/webapp/history.jsp

@@ -48,6 +48,7 @@ org.opengrok.indexer.web.Util"
 <%@ page import="jakarta.servlet.http.HttpServletResponse" %>
 <%@ page import="org.opengrok.indexer.web.SortOrder" %>
 <%@ page import="java.util.Optional" %>
+<%@ page import="org.opengrok.indexer.web.Laundromat" %>
 <%/* ---------------------- history.jsp start --------------------- */
 {
     final Logger LOGGER = LoggerFactory.getLogger(getClass());
@@ -291,7 +292,7 @@ document.domReady.push(function() {domReadyHistory();});
                     if (entry.isActive()) {
                         StringBuffer urlBuffer = new StringBuffer(context + Prefix.HIST_L + uriEncodedName);
                         if (request.getQueryString() != null) {
-                            urlBuffer.append('?').append(request.getQueryString());
+                            urlBuffer.append('?').append(Laundromat.launderPaginationQuery(request.getQueryString()));
                         }
                         urlBuffer.append('#').append(Util.uriEncode(rev));
             %>