From 4e77ce6d1688bee10f82399a15cf1fe89ed7c06b Mon Sep 17 00:00:00 2001
From: rounaksalim95 <rounaksalim@gmail.com>
Date: Mon, 25 May 2026 14:23:23 -0700
Subject: [PATCH] Reject oversized API integer strings

---
 app/main.py            |  7 ++++++-
 tests/test_security.py | 20 +++++++++++++++++---
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/app/main.py b/app/main.py
index 74ae49e1..580c17eb 100644
--- a/app/main.py
+++ b/app/main.py
@@ -693,7 +693,12 @@ def _parse_int(value: Any, field: str) -> int:
     if isinstance(value, str):
         clean = value.strip()
         if clean and clean.lstrip("+-").isdigit():
-            return int(clean)
+            try:
+                return int(clean)
+            except ValueError as exc:
+                raise HTTPException(
+                    status_code=400, detail=f"{field} must be an integer"
+                ) from exc
     raise HTTPException(status_code=400, detail=f"{field} must be an integer")
 
 
diff --git a/tests/test_security.py b/tests/test_security.py
index a51b8f2a..af956f43 100644
--- a/tests/test_security.py
+++ b/tests/test_security.py
@@ -239,7 +239,7 @@ def test_admin_bounty_api_rejects_fractional_integer_fields(
         headers={"x-mergework-admin-token": "admin-token-for-tests"},
         json={**payload, "max_awards": 1.5},
     )
-    oversized_issue = client.post(
+    oversized_integer_issue = client.post(
         "/api/v1/bounties",
         headers={"x-mergework-admin-token": "admin-token-for-tests"},
         json={
@@ -248,13 +248,27 @@ def test_admin_bounty_api_rejects_fractional_integer_fields(
             "issue_url": f"https://github.com/ramimbo/mergework/issues/{2**63}",
         },
     )
+    oversized_string_issue = client.post(
+        "/api/v1/bounties",
+        headers={"x-mergework-admin-token": "admin-token-for-tests"},
+        json={**payload, "issue_number": "9" * 5000},
+    )
+    oversized_string_awards = client.post(
+        "/api/v1/bounties",
+        headers={"x-mergework-admin-token": "admin-token-for-tests"},
+        json={**payload, "max_awards": "9" * 5000},
+    )
 
     assert fractional_issue.status_code == 400
     assert fractional_issue.json()["detail"] == "issue_number must be an integer"
     assert fractional_awards.status_code == 400
     assert fractional_awards.json()["detail"] == "max_awards must be an integer"
-    assert oversized_issue.status_code == 400
-    assert oversized_issue.json()["detail"] == "issue_number is too large"
+    assert oversized_integer_issue.status_code == 400
+    assert oversized_integer_issue.json()["detail"] == "issue_number is too large"
+    assert oversized_string_issue.status_code == 400
+    assert oversized_string_issue.json()["detail"] == "issue_number must be an integer"
+    assert oversized_string_awards.status_code == 400
+    assert oversized_string_awards.json()["detail"] == "max_awards must be an integer"
 
 
 def test_admin_webhook_events_api_lists_and_filters_processing_outcomes(