api: check limit/offset parameters are valid (#28773)

tests/test_api.py

@@ -1498,6 +1498,10 @@ def test_api_list_formdata(pub, local_user):
         resp_partial_ids.extend([x.get('id') for x in resp.json])
     assert resp_all_ids == resp_partial_ids
 
+    # check error handling
+    get_app(pub).get(sign_uri('/api/forms/test/list?filter=all&offset=plop', user=local_user), status=400)
+    get_app(pub).get(sign_uri('/api/forms/test/list?filter=all&limit=plop', user=local_user), status=400)
+
 def test_api_anonymized_formdata(pub, local_user, admin_user):
     Role.wipe()
     role = Role(name='test')
@@ -1793,6 +1797,18 @@ def test_api_global_listing(pub, local_user):
     resp = get_app(pub).get(sign_uri('/api/forms/?status=done', user=local_user))
     assert len(resp.json['data']) == 20
 
+    # check limit/offset
+    resp = get_app(pub).get(sign_uri('/api/forms/?status=done&limit=5', user=local_user))
+    assert len(resp.json['data']) == 5
+    resp = get_app(pub).get(sign_uri('/api/forms/?status=done&offset=5&limit=5', user=local_user))
+    assert len(resp.json['data']) == 5
+    resp = get_app(pub).get(sign_uri('/api/forms/?status=done&offset=18&limit=5', user=local_user))
+    assert len(resp.json['data']) == 2
+
+    # check error handling
+    get_app(pub).get(sign_uri('/api/forms/?status=done&limit=plop', user=local_user), status=400)
+    get_app(pub).get(sign_uri('/api/forms/?status=done&offset=plop', user=local_user), status=400)
+
 def test_api_global_listing_ignored_roles(pub, local_user):
     test_api_global_listing(pub, local_user)
 

wcs/api.py

@@ -26,7 +26,7 @@ from qommon import _
 from qommon import misc
 from qommon.evalutils import make_datetime
 from qommon.errors import (AccessForbiddenError, QueryError, TraversalError,
-    UnknownNameIdAccessForbiddenError)
+    UnknownNameIdAccessForbiddenError, RequestError)
 from qommon.form import ComputedExpressionWidget, ConditionWidget
 
 from wcs.categories import Category
@@ -211,9 +211,15 @@ class ApiFormsDirectory(Directory):
             roles_criterias = criterias
             criterias = management_directory.get_global_listing_criterias(ignore_user_roles=True)
 
-        limit = int(get_request().form.get('limit',
-            get_publisher().get_site_option('default-page-size') or 20))
-        offset = int(get_request().form.get('offset', 0))
+        try:
+            limit = int(get_request().form.get('limit',
+                get_publisher().get_site_option('default-page-size') or 20))
+        except ValueError:
+            raise RequestError('invalid limit parameter')
+        try:
+            offset = int(get_request().form.get('offset', 0))
+        except ValueError:
+            raise RequestError('invalid offset parameter')
         order_by = get_request().form.get('order_by',
             get_publisher().get_site_option('default-sort-order') or '-receipt_time')
 

wcs/backoffice/management.py

@@ -1610,10 +1610,16 @@ class FormPage(Directory):
         query = get_request().form.get('q') if not anonymise else None
         offset = None
         if 'offset' in get_request().form:
-            offset = int(get_request().form['offset'])
+            try:
+                offset = int(get_request().form['offset'])
+            except ValueError:
+                raise errors.RequestError('invalid offset parameter')
         limit = None
         if 'limit' in get_request().form:
-            limit = int(get_request().form['limit'])
+            try:
+                limit = int(get_request().form['limit'])
+            except ValueError:
+                raise errors.RequestError('invalid limit parameter')
         items, total_count = FormDefUI(self.formdef).get_listing_items(
             selected_filter, user=user, query=query, criterias=criterias,
             order_by=order_by, anonymise=anonymise, offset=offset, limit=limit)