anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(api): cap offset on list-topologies and transcript endpoints

Browse Source 
The other five query endpoints (/logs, /attackers, /attacker-commands,
/bounties, /topologies/{id}) already declared le=2147483647 on offset;
these two were inconsistently uncapped. Bring them in line to close
the F4/D deep-pagination row.

Also resolves F4/T (ORM sort injection — already mitigated by the
regex pattern on /attackers sort_by, no other route accepts a column
name) and F4/D (limit cap — already universal) with code pointers.
This commit is contained in:
anti
2026-04-24 14:14:25 -04:00
parent e53b580767
commit a935bf2663
3 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
decnet/web/router/transcripts/api_get_transcript.py
View File

@@ -144,7 +144,7 @@ def _find_shard_with_sid(decky: str, service: str, sid: str) -> Path | None:
async def get_transcript(
decky: str,
sid: str,
offset: int = Query(0, ge=0),
offset: int = Query(0, ge=0, le=2147483647),
limit: int = Query(500, ge=1, le=5000),
admin: dict = Depends(require_admin),
) -> dict[str, Any]: