Merge branch 'limit-error' into 'master'

Ensure commits limit is always positive

See merge request gitlab-org/gitlab!72274

app/controllers/projects/commits_controller.rb

@@ -6,6 +6,8 @@ class Projects::CommitsController < Projects::ApplicationController
   include ExtractsPath
   include RendersCommits
 
+  COMMITS_DEFAULT_LIMIT = 40
+
   prepend_before_action(only: [:show]) { authenticate_sessionless_user!(:rss) }
   around_action :allow_gitaly_ref_name_caching
   before_action :require_non_empty_project
@@ -63,7 +65,9 @@ class Projects::CommitsController < Projects::ApplicationController
 
   def set_commits
     render_404 unless @path.empty? || request.format == :atom || @repository.blob_at(@commit.id, @path) || @repository.tree(@commit.id, @path).entries.present?
-    @limit = (params[:limit] || 40).to_i
+
+    limit = params[:limit].to_i
+    @limit = limit > 0 ? limit : COMMITS_DEFAULT_LIMIT # limit can only ever be a positive number
     @offset = (params[:offset] || 0).to_i
     search = params[:search]
     author = params[:author]

spec/controllers/projects/commits_controller_spec.rb

@@ -67,6 +67,29 @@ RSpec.describe Projects::CommitsController do
         end
       end
 
+      context "with an invalid limit" do
+        let(:id) { "master/README.md" }
+
+        it "uses the default limit" do
+          expect_any_instance_of(Repository).to receive(:commits).with(
+            "master",
+            path: "README.md",
+            limit: described_class::COMMITS_DEFAULT_LIMIT,
+            offset: 0
+          ).and_call_original
+
+          get(:show,
+              params: {
+                namespace_id: project.namespace,
+                project_id: project,
+                id: id,
+                limit: "foo"
+            })
+
+          expect(response).to be_successful
+        end
+      end
+
       context "when the ref name ends in .atom" do
         context "when the ref does not exist with the suffix" do
           before do