Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Missing validation on limit parameter in libraries/id/items #3459

Closed
Sapd opened this issue Sep 26, 2024 · 1 comment
Closed

[Bug]: Missing validation on limit parameter in libraries/id/items #3459

Sapd opened this issue Sep 26, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@Sapd
Copy link
Contributor

Sapd commented Sep 26, 2024

What happened?

A user can crash ABS when it it uses the items API and uses a non-integer limit:

/api/libraries/${libraryId}/items?limit=${limit}

crashes for example when limit is 6.5

What did you expect to happen?

It should return 400 bad request instead of crashing

Steps to reproduce the issue

See above

Audiobookshelf version

v2.13.4

How are you running audiobookshelf?

Docker

What OS is your Audiobookshelf server hosted from?

Linux

If the issue is being seen in the UI, what browsers are you seeing the problem on?

None

Logs

[2024-09-26 10:31:25.191] FATAL: [Server] Unhandled rejection: SequelizeDatabaseError: SQLITE_MISMATCH: datatype mismatch, promise: Promise {
  <rejected> Error
      at Database.<anonymous> (/node_modules/sequelize/lib/dialects/sqlite/query.js:185:27)
      at /node_modules/sequelize/lib/dialects/sqlite/query.js:183:50
      at new Promise (<anonymous>)
      at Query.run (/node_modules/sequelize/lib/dialects/sqlite/query.js:183:12)
      at /node_modules/sequelize/lib/sequelize.js:315:28
      at async SQLiteQueryInterface.select (/node_modules/sequelize/lib/dialects/abstract/query-interface.js:407:12)
      at async book.findAll (/node_modules/sequelize/lib/model.js:1140:21)
      at async Promise.all (index 1)
      at async book.findAndCountAll (/node_modules/sequelize/lib/model.js:1322:27)
      at async Object.getFilteredLibraryItems (/server/utils/queries/libraryItemsBookFilters.js:558:36) {
    name: 'SequelizeDatabaseError',
    parent: [Error: SQLITE_MISMATCH: datatype mismatch] {
      errno: 20,
      code: 'SQLITE_MISMATCH',
...[query cut]...

Additional Notes

No response
@Sapd Sapd added the bug Something isn't working label Sep 26, 2024
advplyr added a commit that referenced this issue Sep 26, 2024
@advplyr
Fix:API /libraries/:library/items validate limit and page are positiv…
567a9a4 
…e integers #3459
@advplyr advplyr added the awaiting release Issue is resolved and will be in the next release label Sep 26, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 5, 2024

Fixed in v2.14.0.

@github-actions github-actions bot closed this as completed Oct 5, 2024
@github-actions github-actions bot removed the awaiting release Issue is resolved and will be in the next release label Oct 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Sapd @advplyr