From 4d0a982c519cb087b4855922f65d73dbece45d33 Mon Sep 17 00:00:00 2001
From: Leonidas Spyropoulos <artafinde@archlinux.org>
Date: Sat, 14 Jan 2023 11:22:03 +0200
Subject: [PATCH] fix: assert offset and per_page are positive

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>
---
 aurweb/routers/requests.py |  2 +-
 aurweb/util.py             |  6 +++---
 test/test_util.py          | 15 +++++++++++++++
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/aurweb/routers/requests.py b/aurweb/routers/requests.py
index 6880abd9..713f88d2 100644
--- a/aurweb/routers/requests.py
+++ b/aurweb/routers/requests.py
@@ -48,7 +48,7 @@ async def requests(
     if not dict(request.query_params).keys() & FILTER_PARAMS:
         filter_pending = True
 
-    O, PP = util.sanitize_params(O, PP)
+    O, PP = util.sanitize_params(str(O), str(PP))
     context["O"] = O
     context["PP"] = PP
     context["filter_pending"] = filter_pending
diff --git a/aurweb/util.py b/aurweb/util.py
index 7b997609..abf48938 100644
--- a/aurweb/util.py
+++ b/aurweb/util.py
@@ -96,14 +96,14 @@ def apply_all(iterable: Iterable, fn: Callable):
     return iterable
 
 
-def sanitize_params(offset: str, per_page: str) -> Tuple[int, int]:
+def sanitize_params(offset_str: str, per_page_str: str) -> Tuple[int, int]:
     try:
-        offset = int(offset)
+        offset = defaults.O if int(offset_str) < 0 else int(offset_str)
     except ValueError:
         offset = defaults.O
 
     try:
-        per_page = int(per_page)
+        per_page = defaults.PP if int(per_page_str) < 0 else int(per_page_str)
     except ValueError:
         per_page = defaults.PP
 
diff --git a/test/test_util.py b/test/test_util.py
index fd7d8655..fefa659a 100644
--- a/test/test_util.py
+++ b/test/test_util.py
@@ -121,6 +121,21 @@ fRSo6OFcejKc=
     assert_multiple_keys(pks)
 
 
+@pytest.mark.parametrize(
+    "offset_str, per_page_str, expected",
+    [
+        ("5", "100", (5, 100)),
+        ("", "100", (0, 100)),
+        ("5", "", (5, 50)),
+        ("", "", (0, 50)),
+        ("-1", "100", (0, 100)),
+        ("5", "-100", (5, 50)),
+    ],
+)
+def test_sanitize_params(offset_str: str, per_page_str: str, expected: tuple[int, int]):
+    assert util.sanitize_params(offset_str, per_page_str) == expected
+
+
 def assert_multiple_keys(pks):
     keys = util.parse_ssh_keys(pks)
     assert len(keys) == 2