fix(zenstackhq#300): handle invalid json in openapi query params grac…

…efully (zenstackhq#303)
Eventiva · Mar 29, 2023 · 8bdc827 · 8bdc827
2 parents 1008b0e + 68a08a3
commit 8bdc827
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/packages/server/src/openapi/index.ts b/packages/server/src/openapi/index.ts
@@ -138,7 +138,11 @@ export async function handleRequest({
             if (method !== 'GET') {
                 return { status: 400, body: { message: 'invalid request method, only GET is supported' } };
             }
-            args = query?.q ? unmarshal(query.q as string) : {};
+            try {
+                args = query?.q ? unmarshal(query.q as string) : {};
+            } catch {
+                return { status: 400, body: { message: 'query param must contain valid JSON' } };
+            }
             break;
 
         case 'update':
@@ -158,7 +162,11 @@ export async function handleRequest({
             if (method !== 'DELETE') {
                 return { status: 400, body: { message: 'invalid request method, only DELETE is supported' } };
             }
-            args = query?.q ? unmarshal(query.q as string) : {};
+            try {
+                args = query?.q ? unmarshal(query.q as string) : {};
+            } catch {
+                return { status: 400, body: { message: 'query param must contain valid JSON' } };
+            }
             break;
 
         default: