feat(api): cap offset on list-topologies and transcript endpoints

The other five query endpoints (/logs, /attackers, /attacker-commands, /bounties, /topologies/{id}) already declared le=2147483647 on offset; these two were inconsistently uncapped. Bring them in line to close the F4/D deep-pagination row. Also resolves F4/T (ORM sort injection — already mitigated by the regex pattern on /attackers sort_by, no other route accepts a column name) and F4/D (limit cap — already universal) with code pointers.
2026-04-24 14:14:25 -04:00
parent e53b580767
commit a935bf2663
3 changed files with 9 additions and 8 deletions
--- a/decnet/web/router/topology/api_list_topologies.py
+++ b/decnet/web/router/topology/api_list_topologies.py
@@ -26,7 +26,7 @@ router = APIRouter()
 async def api_list_topologies(
    status: Optional[str] = Query(default=None, description="Filter by topology status"),
    limit: int = Query(default=50, ge=1, le=500),
-    offset: int = Query(default=0, ge=0),
+    offset: int = Query(default=0, ge=0, le=2147483647),
    _viewer: dict = Depends(require_viewer),
 ) -> TopologyListResponse:
    total = await repo.count_topologies(status=status)
--- a/decnet/web/router/transcripts/api_get_transcript.py
+++ b/decnet/web/router/transcripts/api_get_transcript.py
@@ -144,7 +144,7 @@ def _find_shard_with_sid(decky: str, service: str, sid: str) -> Path | None:
 async def get_transcript(
    decky: str,
    sid: str,
-    offset: int = Query(0, ge=0),
+    offset: int = Query(0, ge=0, le=2147483647),
    limit: int = Query(500, ge=1, le=5000),
    admin: dict = Depends(require_admin),
 ) -> dict[str, Any]: