Fix: uint to int security

2 years ago · c33ed7d3ec
parent e5d91d0b9b
commit c33ed7d3ec
3 changed files with 69 additions and 11 deletions
--- a/server/handlers/api-movie.go
+++ b/server/handlers/api-movie.go
@ -29,17 +29,17 @@ import (
 )
 func GetPageItems[T any](ctx *gin.Context, items []T) ([]T, error) {
-	max, err := strconv.ParseUint(ctx.DefaultQuery("max", "10"), 10, 64)
+	max, err := strconv.ParseInt(ctx.DefaultQuery("max", "10"), 10, 64)
 	if err != nil {
 		return items, errors.New("max must be a number")
 	}
-	page, err := strconv.ParseUint(ctx.DefaultQuery("page", "1"), 10, 64)
+	page, err := strconv.ParseInt(ctx.DefaultQuery("page", "1"), 10, 64)
 	if err != nil {
 		return items, errors.New("page must be a number")
 	}
-	return utils.GetPageItems(items, int(max), int(page)), nil
+	return utils.GetPageItems(items, max, page), nil
 }
 func MovieList(ctx *gin.Context) {
--- a/utils/utils.go
+++ b/utils/utils.go
@ -27,16 +27,18 @@ func RandBytes(n int) []byte {
 	return b
 }
-func GetPageItems[T any](items []T, max, page int) []T {
+func GetPageItems[T any](items []T, max, page int64) []T {
 	if max <= 0 || page <= 0 {
 		return nil
 	}
 	start := (page - 1) * max
-	if start < 0 {
+	l := int64(len(items))
-		start = 0
+	if start > l {
-	} else if start > len(items) {
+		start = l
 		start = len(items)
 	}
-	end := int(page * max)
+	end := page * max
-	if end > len(items) {
+	if end > l {
-		end = len(items)
+		end = l
 	}
 	return items[start:end]
 }
--- a/utils/utils_test.go
+++ b/utils/utils_test.go
@ -0,0 +1,56 @@
 package utils_test
 import (
 	"reflect"
 	"testing"
 	"github.com/synctv-org/synctv/utils"
 )
 func TestGetPageItems(t *testing.T) {
 	type args struct {
 		items []int
 		max   int64
 		page  int64
 	}
 	tests := []struct {
 		name string
 		args args
 		want []int
 	}{
 		{
 			name: "Test Case 1",
 			args: args{
 				items: []int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10},
 				max:   5,
 				page:  1,
 			},
 			want: []int{1, 2, 3, 4, 5},
 		},
 		{
 			name: "Test Case 2",
 			args: args{
 				items: []int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10},
 				max:   5,
 				page:  2,
 			},
 			want: []int{6, 7, 8, 9, 10},
 		},
 		{
 			name: "Test Case 3",
 			args: args{
 				items: []int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10},
 				max:   5,
 				page:  3,
 			},
 			want: []int{},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if got := utils.GetPageItems(tt.args.items, tt.args.max, tt.args.page); !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("GetPageItems() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }