shreemaan-abhishek opened a new pull request, #13573:
URL: https://github.com/apache/apisix/pull/13573
### Description
`limit-count` lets `count` and `time_window` be set from a request variable,
e.g. `"count": "${http_count ?? 2}"`. At request time the resolved string was
only coerced with `tonumber` and checked for being a number. It was never
bounds-checked, so a client-supplied value of `0`, a negative, a fractional, or
an out-of-range number bypassed the schema's `> 0` integer constraint:
- `0`/negative hit the limiter constructor's `assert(limit > 0 and window >
0)`, turning a client header into a request-time error.
- fractional/huge values skewed the limiter's math.
This mirrors the validation `limit-conn` already performs on its
variable-resolved `conn`/`burst`: the resolved value must be a positive integer
within the safe integer range (`2^53-1`). Invalid values are now rejected
through the normal error path instead of reaching the limiter.
`limit-conn`'s identical gap was already fixed; this closes the same hole in
`limit-count`.
#### Which issue(s) this PR fixes:
N/A (hardening; reported internally against the API7 fork)
### Checklist
- [x] I have explained the need for this PR and the problem it solves
- [x] I have explained the changes or the new features added to this PR
- [x] I have added tests corresponding to this change
- [x] I have updated the documentation to reflect this change (docs already
state `> 0`; behavior now matches)
- [x] I have verified that this change is backward compatible
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]