version 1.6.4: 400 on negative offset/limit

c97d9277 · Dean · c4cc52a7 · c97d9277 · c97d9277 · c97d9277
Commit c97d9277 authored 5 years ago by Dean
--- a/lib/apierrors/errors.go
+++ b/lib/apierrors/errors.go
@@ -33,7 +33,7 @@ var (
 	InvalidOffsetOrLimit = APIError{false, 400, "invalid offset or limit query paramters", false}
 	// OffsetTooLarge is a 400 bad request error.
-	OffsetTooLarge = APIError{false, 400, "offset is too big", false}
+	LimitTooLarge = APIError{false, 400, "limit is too big", false}
 	// NoObjectFound is a 404 not found error.
 	NoObjectFound = APIError{false, 404, "no object found", false}

--- a/lib/routes/listobjects.go
+++ b/lib/routes/listobjects.go
@@ -15,7 +15,7 @@ import (
 )
 // Maximum objects per page
-const maxOffset = 100
+const maxLimit = 100
 // listObjectsResponse is the response format for ListObjects.
 type listObjectsResponse struct {
@@ -45,17 +45,17 @@ func ListObjects(w http.ResponseWriter, r *http.Request) {
 	query := r.URL.Query()
 	l := query.Get("limit")
 	limit, err := strconv.Atoi(l)
-	if err != nil {
+	if err != nil || limit < 0 {
 		panic(apierrors.InvalidOffsetOrLimit)
 	}
+	if limit > maxLimit {
+		panic(apierrors.LimitTooLarge)
+	}
 	o := query.Get("offset")
 	offset, err := strconv.Atoi(o)
-	if err != nil {
+	if err != nil || offset < 0 {
 		panic(apierrors.InvalidOffsetOrLimit)
 	}
-	if limit > maxOffset {
-		panic(apierrors.OffsetTooLarge)
-	}
 	asc := false
 	if query.Get("order") == "asc" {
 		asc = true

--- a/main.go
+++ b/main.go
@@ -26,7 +26,7 @@ import (
 const (
 	configLocationUnix = "/etc/whats-this/api/config.toml"
 	shutdownTimeout    = 10 * time.Second
-	version            = "1.6.3"
+	version            = "1.6.4"
 )
 // printConfiguration iterates through a configuration map[string]interface{}