search

Kinto / kinto

A generic JSON document store with sharing and synchronisation capabilities.
http://docs.kinto-storage.org/
Other
4.31k stars 420 forks source link

Crash with invalid integer value for `gt_last_modified` #3402

Closed leplatrem closed 4 weeks ago

leplatrem commented 3 months ago

For example:

querystring = {
    _sort: "last_modified",
    gt_last_modified: "171103608603432920249' or '7127'='7127"
}

crashes with 

DataError (psycopg2.errors.NumericValueOutOfRange) value "171103608603432920249' or '7127'='7127" is out of range for type bigint
LINE 7:             AND as_epoch(last_modified) > '17110360860343292...

We should check here that integer is passed:

https://github.com/Kinto/kinto/blob/cb9cbf76beee92f7d09a3c498ebaa70ed195f256/kinto/core/resource/__init__.py#L1130-L1131