Skip to content

Query parameter validation accepts limit=0 and negative values — returns all results #2013

Open
Open
Query parameter validation accepts limit=0 and negative values — returns all results#2013
Labels
bugSomething isn't working
@gandalf-at-lerian

Description

@gandalf-at-lerian
gandalf-at-lerian
opened on Mar 31, 2026

Description

The limit query parameter validation in ValidateParameters / validatePagination only checks limit > maxPaginationLimit but does not reject limit <= 0. When limit=0 is passed:

  • strconv.Atoi("0") returns 0
  • 0 > 100 is false → validation passes
  • MongoDB's SetLimit(0) means "no limit" → returns all documents
  • API responds 200 with all results instead of 400

Similarly, negative values like limit=-1 and page=0 or page=-1 pass validation.

Affected Endpoints

This is in the shared pkg/net/http/httputils.go validatePagination function, so it affects all list endpoints across Ledger and CRM.

Location

pkg/net/http/httputils.go, function validatePagination (line ~330)

Expected Behavior

  • limit <= 0 → HTTP 400 with structured error
  • page <= 0 → HTTP 400 with structured error

Suggested Fix

Add a lower bound check in validatePagination:

if limit <= 0 {
    return "", pkg.ValidateBusinessError(constant.ErrInvalidQueryParameter, "", "limit")
}

And add page validation (currently not validated at all):

// in ValidateParameters, after the for loop:
if page <= 0 {
    return nil, pkg.ValidateBusinessError(constant.ErrInvalidQueryParameter, "", "page")
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions