From 7428cf714e6c0155234ed69364b2f8c0e1628754 Mon Sep 17 00:00:00 2001 From: duongynhi000005-oss Date: Mon, 25 May 2026 23:34:04 +0000 Subject: [PATCH] fix: reject negative BoTTube feed limits --- node/bottube_feed_routes.py | 5 ++++- tests/test_bottube_feed_routes.py | 7 +++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/node/bottube_feed_routes.py b/node/bottube_feed_routes.py index 45e14dfd4..217c79675 100644 --- a/node/bottube_feed_routes.py +++ b/node/bottube_feed_routes.py @@ -50,7 +50,10 @@ def _parse_feed_limit(default: int = 20, maximum: int = 100) -> int: raw_limit = request.args.get("limit") if raw_limit in (None, ""): return default - return max(1, min(int(raw_limit), maximum)) + limit = int(raw_limit) + if limit < 0: + raise ValueError("limit must be non-negative") + return max(1, min(limit, maximum)) def _get_db_connection(): diff --git a/tests/test_bottube_feed_routes.py b/tests/test_bottube_feed_routes.py index 090a53e67..288ded71f 100644 --- a/tests/test_bottube_feed_routes.py +++ b/tests/test_bottube_feed_routes.py @@ -110,6 +110,13 @@ def test_rss_feed_invalid_limit(self): response = self.client.get("/api/feed/rss?limit=invalid") self.assertEqual(response.status_code, 400) + def test_feed_negative_limit_rejected(self): + """Test negative limits are rejected across feed variants.""" + for path in ("/api/feed/rss", "/api/feed/atom", "/api/feed"): + with self.subTest(path=path): + response = self.client.get(f"{path}?limit=-1") + self.assertEqual(response.status_code, 400) + def test_rss_feed_excessive_limit(self): """Test RSS feed caps limit to 100.""" response = self.client.get("/api/feed/rss?limit=999")