This is an automated email from the ASF dual-hosted git repository. wave pushed a commit to branch proper-pagination-validation-checks in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit 8d56a44f4e98def1dfc18414dde8a3127857f31b Author: Dave Fisher <[email protected]> AuthorDate: Thu Feb 26 15:18:49 2026 -0800 Proper pagination validation checks --- atr/api/__init__.py | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/atr/api/__init__.py b/atr/api/__init__.py index 7e2c6117..251e268e 100644 --- a/atr/api/__init__.py +++ b/atr/api/__init__.py @@ -1471,9 +1471,20 @@ async def _match_unfinished(release_directory: pathlib.Path, data: models.api.Si def _pagination_args_validate(query_args: Any) -> None: # Users could request any amount using limit=N with arbitrarily high N # We therefore limit the maximum limit to 1000 - if hasattr(query_args, "limit") and (query_args.limit > 1000): - # quart.abort(400, "Limit is too high") - raise exceptions.BadRequest("Maximum limit of 1000 exceeded") + if hasattr(query_args, "limit"): + limit = query_args.limit + if limit > 1000: + raise exceptions.BadRequest("Maximum limit of 1000 exceeded") + elif limit < 1: + raise exceptions.BadRequest("Minimum limit less than 1 is nonsense") + # Users could request any amount using offset=N with arbitrarily high N + # We therefore limit the maximum offset to 1000000 + if hasattr(query_args, "offest"): + offset = query_args.offset + if offset > 1000000: + raise exceptions.BadRequest("Maximum offset of 1000000 exceeded") + elif offset < 0: + raise exceptions.BadRequest("Minimum offset less than 0 is nonsense") def _simple_check(*args: str | None) -> None: --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
