fix: reject negative BoTTube feed limits#6339
Conversation
github-actions
Bot
added
BCOS-L1
|
Welcome to RustChain! Thanks for your first pull request. Before we review, please make sure:
Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150) A maintainer will review your PR soon. Thanks for contributing! |
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great work! Thanks for contributing to RustChain! 🦀
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great work on this PR! The code looks clean and well-structured.
Review powered by RustChain Bounty Program
Wallet: AhqbFaPBPLMMiaLDzA9WhQcyvv4hMxiteLhPk3NhG1iG
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great work! Thanks for contributing to RustChain! 🦀
shadow88sky
left a comment
shadow88sky
left a comment
There was a problem hiding this comment.
Reviewed the negative-limit handling across the BoTTube feed routes.
Concrete observations:
-
The parser-level change in
node/bottube_feed_routes.pyis well-scoped._parse_feed_limit()still treats a missing or blanklimitas the default, still clamps large positive values tomaximum, and now rejects only values below zero before they reach_fetch_videos(). That keeps the existinglimit=999 -> 100behavior intact while preventing negative slicing/query limits from becoming surprising downstream behavior. -
The error propagation is already wired correctly for all three public feed variants: RSS and Atom return
{"error": "Invalid parameter", "message": "limit must be non-negative"}through their existingexcept ValueError as eblocks, while/api/feedreturns its existingInvalid limit parameterresponse. The PR does not need separate route-level branches for this case. -
The regression test is useful because it checks
/api/feed/rss,/api/feed/atom, and/api/feedin one subTest loop, so the shared parser cannot be fixed for one endpoint and accidentally left untested on the others.
Small non-blocking suggestion: it may be worth adding limit=-999 or a whitespace-padded negative value in a future table-driven parser test, but Python int() already covers the whitespace case and the current route-level regression is enough for this fix.
Local validation:
PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 .venv/bin/python -m pytest tests/test_bottube_feed_routes.py -q -> 27 passed, 6 subtests passed.
HuiNeng6
left a comment
HuiNeng6
left a comment
There was a problem hiding this comment.
Code Review: 1. Line 53-55: Good defensive check for negative limits. The ValueError prevents negative limits causing unexpected SQL queries. 2. Test coverage: The subTest loop covering RSS/Atom/api/feed ensures consistent fix. 3. Suggestion: Consider using a constant for the error message. Disclosure: I received RTC compensation for this review.
MolhamHamwi
left a comment
MolhamHamwi
left a comment
There was a problem hiding this comment.
Reviewed node/bottube_feed_routes.py and tests/test_bottube_feed_routes.py.
_parse_feed_limit()now rejects negative values before the existingmax(1, min(limit, maximum))clamp, which closes the previous behavior wherelimit=-1silently became1instead of surfacing invalid input to the route-levelValueErrorhandling.- The regression test covers all three feed entry points (
/api/feed/rss,/api/feed/atom, and/api/feed), so the shared parser behavior is locked across RSS, Atom, and JSON responses rather than only one route.
Local validation: python3 -m pytest -q tests/test_bottube_feed_routes.py passed (27 passed).
I received RTC compensation for this review.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great work! Thanks for contributing to RustChain! 🦀
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Code review completed. Thanks for contributing to RustChain! 🚀
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Code review completed. Thanks for contributing! 🚀
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great work! Thanks for contributing to RustChain! 🦀
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great work! Thanks for contributing to RustChain! 🦀
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great work! Thanks for contributing to RustChain! 🦀
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great work! Thanks for contributing to RustChain! 🦀
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great work! Thanks for contributing to RustChain! 🦀
5 participants
Reject negative limit values for /api/feed, /api/feed/rss, and /api/feed/atom with HTTP 400 while preserving existing max-100 clamping for valid inputs.\n\nTests: PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 python3 -m pytest tests/test_bottube_feed_routes.py -q