fix: add input validation for offset/limit to prevent query injection in CosmosDB

[KhawarHabibKhan]

Summary

• Added input validation and type casting for offset query parameter in /history/list API endpoint to prevent invalid or malicious values from reaching the database layer
• Added whitelist validation for sort_order parameter in CosmosConversationClient.get_conversations() to only allow ASC or DESC
• Added explicit int() casting for offset and limit before interpolation into CosmosDB SQL query string

Problem

The offset and limit parameters in the CosmosDB query were directly interpolated into the SQL query using f-strings without any validation or parameterization. The offset value from the API request was passed through without type conversion, potentially allowing query injection.

Changes

code/backend/api/chat_history.py

• Added try/except block to validate offset as a valid integer
• Added range check to reject negative values
• Returns 400 error for invalid input

code/backend/batch/utilities/chat_history/cosmosdb.py

• Added whitelist check for sort_order (only ASC/DESC allowed, defaults to DESC)
• Added int() casting for offset and limit before query interpolation