Skip to content

Fix(findrive): resolve missing negative-limit guard in search_files#449

Open
Jean-Regis-M wants to merge 1 commit intoGenAI-Security-Project:mainfrom
Jean-Regis-M:patch-45
Open

Fix(findrive): resolve missing negative-limit guard in search_files#449
Jean-Regis-M wants to merge 1 commit intoGenAI-Security-Project:mainfrom
Jean-Regis-M:patch-45

Conversation

@Jean-Regis-M
Copy link
Copy Markdown
Contributor

@Jean-Regis-M Jean-Regis-M commented Apr 1, 2026

Summary

Fixes #353 search_files accepted negative limit values and forwarded them directly to the database layer, triggering undefined SQL LIMIT behavior.

Root Cause

No lower-bound validation existed on the limit parameter in search_files. The raw value was passed unchecked into repo.search_files(query, limit=limit).

Solution

Added a two-line early-return guard at the top of search_files, before the db_session block, that returns a structured error response when limit < 0. Matches the existing error-return pattern used in upload_file.

if limit < 0:
    return {"error": f"limit must be non-negative, got {limit}"}

Impact

  • No breaking changes
  • Deterministic error response for invalid input
  • Zero change to the valid-input path

Testing

pytest tests/unit/mcp/test_findrive.py::TestIntFieldEdgeCases::test_fd_int_006_search_files_negative_limit_raises -v
pytest tests/unit/mcp/test_findrive.py::test_fd_srch_001_returns_matching_files_by_filename -v

Tasks

  • Root cause identified (limit forwarded to DB without validation)
  • Guard added before db_session block in search_files
  • Error response matches existing pattern in upload_file
  • Negative limit test passes (test_fd_int_006_search_files_negative_limit_raises)
  • Valid search regression test passes (test_fd_srch_001_returns_matching_files_by_filename)

@Jean-Regis-M
fix(findrive): reject negative limit in search_files before DB call
5d044df 
Root cause:
search_files forwarded unvalidated limit to repo.search_files(), allowing
negative values to reach the DB layer with undefined LIMIT behavior.

Solution:
Add early return with error dict when limit < 0, matching the validation
pattern used in upload_file.

Impact:
Deterministic error response for invalid input; zero change to valid path.

Signed-off-by: JEAN REGIS <240509606@firat.edu.tr>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug_144_MUST_FIX: FD-INT-006 — search_files accepts negative limit; undefined database behavior

1 participant

@Jean-Regis-M