Fix: rescue malformed page param in Pagy::Keyset and KeynavJsPaginator

[7a6163]

Summary

Two sibling locations call JSON.parse(B64.urlsafe_decode(page)) on an attacker-controlled request param without rescuing exceptions. Any malformed ?page= value (invalid base64, or valid base64 of non-JSON) raises uncaught and propagates as a 500:

GET /items?page=garbage    # -> 500 ArgumentError: invalid base64
GET /items?page=aGVsbG8    # -> 500 JSON::ParserError: unexpected character

Affected sites:

• gem/lib/pagy/classes/keyset/keyset.rb — Pagy::Keyset#assign_page
• gem/lib/pagy/toolbox/paginators/keynav_js.rb — KeynavJsPaginator.paginate

This patch rescues both ArgumentError and JSON::ParserError at both call sites, matching Pagy::Request#resolve_page's existing silent-fallback-to-page-1 convention for malformed integer page params.

Why

This is not a security issue — an attacker doesn't gain data, access, or availability, and Ruby/puma handles 500 responses as fast as 200s so there's no DoS amplification. It's filed as a robustness fix.

But the small change improves operational behavior:

• Cleans up unhandled exceptions in Sentry/Datadog from web scanners and curious users
• Stops triggering 5xx-rate alerts on benign garbage input
• Lets clients distinguish "bad request" from "server is broken" for retry logic

Changes

• gem/lib/pagy/classes/keyset/keyset.rb — method-level rescue JSON::ParserError, ArgumentError that nils @page
• gem/lib/pagy/toolbox/paginators/keynav_js.rb — begin/rescue around the inline JSON.parse so options[:page] stays unset on parse failure
• test/unit/pagy/classes/keyset/keyset_test.rb — 2 new tests covering both exception paths against both Pet (ActiveRecord) and PetSequel (Sequel) via the existing [Pet, PetSequel].each loop
• test/unit/pagy/toolbox/paginators/keynav_test.rb — 2 new tests covering both exception paths via MockApp

Test plan

• bundle exec ruby -Ilib:test -Igem/lib -e 'ARGV.each{|f| require "./#{f}"}' test/unit/pagy/classes/keyset/keyset_test.rb — 43 tests, 92 assertions pass
• bundle exec ruby -Ilib:test -Igem/lib -e 'ARGV.each{|f| require "./#{f}"}' test/unit/pagy/toolbox/paginators/keynav_test.rb — 6 tests, 14 assertions pass
• bundle exec thor test:api:all — current + next API both green, 0 failures, 0 regressions
• bundle exec rubocop on all 4 changed files — 0 offenses
• Coverage neutral vs current master (master baseline on bundle exec thor test:api:coverage is currently 95.46% line / 98.70% branch; this patch goes to 95.47% / 98.71%, net positive)

Notes for reviewer

• @page = nil on rescue in Keyset#assign_page is intentional — downstream attr_reader :page then returns nil, matching the "no page param given" code path. @prior_cutoff stays unset (since the JSON.parse line that would set it didn't complete), so fetch_records correctly skips the apply_where(...) branch.
• In KeynavJsPaginator.paginate, leaving options[:page] unset on rescue means Keyset::Keynav#assign_page (line 49) takes the @page = @last = 1 branch — same first-page behavior as if no page param had been sent.
• Branched off master per CONTRIBUTING.md.

[ddnexus]

@7a6163 Thank you! This is one of the best contribution Pagy ever received! 🙌
It shows a deep understanding of its code, intentions and policies. Great description and explanation.

While reviewing your changes, I noticed that the my original Keyset#assign_page had redundant code, so I simplified it and extracted the Keyset.decode function to reduce duplication.

Thank you.

[7a6163]

Thanks @ddnexus — much cleaner. Tests green locally.