Skip to content

Commit 58b6924

Browse files
SeldaekSeldaek
committed
Avoid misuse of the security advisory API endpoint
1 parent 7687b0f commit 58b6924

File tree

2 files changed

+4
-1
lines changed

2 files changed

+4
-1
lines changed

src/Controller/ApiController.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -359,6 +359,9 @@ public function securityAdvisoryAction(Request $request, ProviderManager $provid
359359
if ($updatedSince < 0) {
360360
return new JsonResponse(['status' => 'error', 'message' => 'Invalid updatedSince parameter: timestamp should not be negative.'], 400);
361361
}
362+
if ($updatedSince > 0 && \count($packageNames) > 0) {
363+
return new JsonResponse(['status' => 'error', 'message' => 'Pass only one of "updatedSince" OR "packages" parameters, they cannot be provided together.'], 400);
364+
}
362365

363366
$statsd->increment('advisory_api');
364367

src/Entity/SecurityAdvisoryRepository.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -161,7 +161,7 @@ public function searchSecurityAdvisories(array $packageNames, int $updatedSince)
161161
.($filterByNames ? ' AND s.packageName IN (:packageNames)' : '')
162162
.' ORDER BY '.($filterByNames ? 's.reportedAt DESC, ' : '').'s.id DESC';
163163

164-
$params = ['updatedSince' => date('Y-m-d H:i:s', $updatedSince)];
164+
$params = ['updatedSince' => date('Y-m-d H:i:s', $filterByNames ? 0 : $updatedSince)];
165165
$types = [];
166166
if ($filterByNames) {
167167
$params['packageNames'] = $packageNames;

0 commit comments

Comments
 (0)