Kinto/kinto

Crash with invalid integer value for `gt_last_modified`

Closed this issue · 0 comments

leplatrem commented

For example:

querystring = {
    _sort: "last_modified",
    gt_last_modified: "171103608603432920249' or '7127'='7127"
}

crashes with

DataError (psycopg2.errors.NumericValueOutOfRange) value "171103608603432920249' or '7127'='7127" is out of range for type bigint
LINE 7:             AND as_epoch(last_modified) > '17110360860343292...

We should check here that integer is passed:

kinto/kinto/core/resource/__init__.py

Lines 1130 to 1131 in cb9cbf7

if field == self.model.modified_field and value == "":
raise_invalid(self.request, **error_details)