From 21eeb2cc28ace75e17271dfda79edd1c65a733de Mon Sep 17 00:00:00 2001
From: Peter Bengtsson <peterbe@github.com>
Date: Wed, 31 May 2023 07:37:14 -0400
Subject: [PATCH] validate that 'pathname' is not repeated as query (#37319)

---
 src/pageinfo/middleware.js     | 3 +++
 src/pageinfo/tests/pageinfo.js | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/src/pageinfo/middleware.js b/src/pageinfo/middleware.js
index 58549f203d..9045885b3b 100644
--- a/src/pageinfo/middleware.js
+++ b/src/pageinfo/middleware.js
@@ -21,6 +21,9 @@ const validationMiddleware = (req, res, next) => {
   if (!pathname) {
     return res.status(400).json({ error: `No 'pathname' query` })
   }
+  if (Array.isArray(pathname)) {
+    return res.status(400).json({ error: "Multiple 'pathname' keys" })
+  }
   if (!pathname.trim()) {
     return res.status(400).json({ error: `'pathname' query empty` })
   }
diff --git a/src/pageinfo/tests/pageinfo.js b/src/pageinfo/tests/pageinfo.js
index 28b5b6da54..c4707ca55d 100644
--- a/src/pageinfo/tests/pageinfo.js
+++ b/src/pageinfo/tests/pageinfo.js
@@ -63,6 +63,13 @@ describe('pageinfo api', () => {
     expect(error).toBe("'pathname' query empty")
   })
 
+  test('repeated pathname query string key', async () => {
+    const res = await get('/api/pageinfo/v1?pathname=a&pathname=b')
+    expect(res.statusCode).toBe(400)
+    const { error } = JSON.parse(res.body)
+    expect(error).toBe("Multiple 'pathname' keys")
+  })
+
   test('redirects correct the URL', async () => {
     // Regular redirect from `redirect_from`
     {