From c97d9277ba0b5ee664e6a0918688bc51b68ea842 Mon Sep 17 00:00:00 2001 From: Dean Sheather <dean@deansheather.com> Date: Sat, 30 Mar 2019 04:15:27 +1000 Subject: [PATCH] version 1.6.4: 400 on negative offset/limit --- lib/apierrors/errors.go | 2 +- lib/routes/listobjects.go | 12 ++++++------ main.go | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/apierrors/errors.go b/lib/apierrors/errors.go index 8b0b1c3..67c9c10 100644 --- a/lib/apierrors/errors.go +++ b/lib/apierrors/errors.go @@ -33,7 +33,7 @@ var ( InvalidOffsetOrLimit = APIError{false, 400, "invalid offset or limit query paramters", false} // OffsetTooLarge is a 400 bad request error. - OffsetTooLarge = APIError{false, 400, "offset is too big", false} + LimitTooLarge = APIError{false, 400, "limit is too big", false} // NoObjectFound is a 404 not found error. NoObjectFound = APIError{false, 404, "no object found", false} diff --git a/lib/routes/listobjects.go b/lib/routes/listobjects.go index 8647c39..c4a9058 100644 --- a/lib/routes/listobjects.go +++ b/lib/routes/listobjects.go @@ -15,7 +15,7 @@ import ( ) // Maximum objects per page -const maxOffset = 100 +const maxLimit = 100 // listObjectsResponse is the response format for ListObjects. type listObjectsResponse struct { @@ -45,17 +45,17 @@ func ListObjects(w http.ResponseWriter, r *http.Request) { query := r.URL.Query() l := query.Get("limit") limit, err := strconv.Atoi(l) - if err != nil { + if err != nil || limit < 0 { panic(apierrors.InvalidOffsetOrLimit) } + if limit > maxLimit { + panic(apierrors.LimitTooLarge) + } o := query.Get("offset") offset, err := strconv.Atoi(o) - if err != nil { + if err != nil || offset < 0 { panic(apierrors.InvalidOffsetOrLimit) } - if limit > maxOffset { - panic(apierrors.OffsetTooLarge) - } asc := false if query.Get("order") == "asc" { asc = true diff --git a/main.go b/main.go index 9049d1d..f3c2563 100644 --- a/main.go +++ b/main.go @@ -26,7 +26,7 @@ import ( const ( configLocationUnix = "/etc/whats-this/api/config.toml" shutdownTimeout = 10 * time.Second - version = "1.6.3" + version = "1.6.4" ) // printConfiguration iterates through a configuration map[string]interface{} -- GitLab