Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changing state of notifications via API results in internal server error 500 #25545

Closed
matusf opened this issue Jun 27, 2023 · 1 comment · Fixed by #25548
Closed

Changing state of notifications via API results in internal server error 500 #25545

matusf opened this issue Jun 27, 2023 · 1 comment · Fixed by #25548
Labels
type/bug

Comments

@matusf
Copy link

matusf commented Jun 27, 2023

Description

Hi, I've been fuzzing Gitea with openapi-fuzzer and found, that sending a PUT request to /api/v1/notifications endpoint with invalid last_read_at query parameter causes the Gitea to respond with internal server error 500 status code.

request & response

curl -X PUT -H "Authorization: token $TOKEN" 'http://127.0.0.1:3000/api/v1/notifications?last_read_at=x'
{
  "message": "parsing time \"x\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"x\" as \"2006\"",
  "url": "http://localhost:3000/api/swagger"
}

logs

2023/06/27 23:59:09 ...pi/v1/notify/user.go:135:ReadNotifications() [E] [649b5bad] InternalServerError: parsing time "x" as "2006-01-02T15:04:05Z07:00": cannot parse "x" as "2006"
2023/06/27 23:59:09 [649b5bad] router: completed PUT /api/v1/notifications?last_read_at=x for 127.0.0.1:47256, 500 Internal Server Error in 20.1ms @ notify/user.go:93(notify.ReadNotifications)

Gitea Version

1.19.3

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

linux

How are you running Gitea?

  • I downloaded Gitea from Github
  • I run it from command-line
  • did not use a package or systemd

Database

SQLite
@Zettat123
Copy link
Contributor

Maybe we should return BadRequest here?

gitea/routers/api/v1/notify/user.go

Lines 132 to 137 in b943318

if len(qLastRead) > 0 {
tmpLastRead, err := time.Parse(time.RFC3339, qLastRead)
if err != nil {
ctx.InternalServerError(err)
return
}

@Zettat123 Zettat123 mentioned this issue Jun 28, 2023
Merged
@GiteaBot GiteaBot mentioned this issue Jun 28, 2023
Merged
silverwind pushed a commit that referenced this issue Jun 28, 2023
@GiteaBot @Zettat123
Fix bugs related to notification endpoints (#25548) (#25562)
77db40e 
Backport #25548 by @Zettat123

This PR
- fixes #25545
- fixes two incorrect `reqToken()` in `/notifications` endpoints (caused
by #24767)

Co-authored-by: Zettat123 <[email protected]>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix bugs related to notification endpoints Zettat123/gitea
2 participants
@Zettat123 @matusf