From 670e2ce7a54a0af11d10c07e09364aa2d5a9875f Mon Sep 17 00:00:00 2001 From: KhawarHabibKhan Date: Thu, 2 Apr 2026 18:38:14 +0500 Subject: [PATCH] fix: add input validation for offset/limit to prevent query injection --- code/backend/api/chat_history.py | 7 ++++++- code/backend/batch/utilities/chat_history/cosmosdb.py | 4 ++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/code/backend/api/chat_history.py b/code/backend/api/chat_history.py index 8a86b8119..706dbec7d 100644 --- a/code/backend/api/chat_history.py +++ b/code/backend/api/chat_history.py @@ -55,7 +55,12 @@ async def list_conversations(): return jsonify({"error": "Chat history is not available"}), 400 try: - offset = request.args.get("offset", 0) + try: + offset = int(request.args.get("offset", 0)) + except (ValueError, TypeError): + return jsonify({"error": "offset must be a valid integer"}), 400 + if offset < 0: + return jsonify({"error": "offset must be non-negative"}), 400 authenticated_user = get_authenticated_user_details( request_headers=request.headers ) diff --git a/code/backend/batch/utilities/chat_history/cosmosdb.py b/code/backend/batch/utilities/chat_history/cosmosdb.py index 5cac5fc8c..4fc35ecef 100644 --- a/code/backend/batch/utilities/chat_history/cosmosdb.py +++ b/code/backend/batch/utilities/chat_history/cosmosdb.py @@ -122,8 +122,12 @@ async def delete_messages(self, conversation_id, user_id): async def get_conversations(self, user_id, limit, sort_order="DESC", offset=0): parameters = [{"name": "@userId", "value": user_id}] + if sort_order not in ("ASC", "DESC"): + sort_order = "DESC" query = f"SELECT * FROM c where c.userId = @userId and c.type='conversation' order by c.updatedAt {sort_order}" if limit is not None: + offset = int(offset) + limit = int(limit) query += f" offset {offset} limit {limit}" conversations = []