From e51d20479e70320486385a4787f5d09abdd6ed4e Mon Sep 17 00:00:00 2001
From: Côme Chilliet <come.chilliet@nextcloud.com>
Date: Tue, 10 Oct 2023 10:43:18 +0200
Subject: Check limit and offset parameters sent to controller
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
---
 apps/provisioning_api/lib/Controller/UsersController.php | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'apps/provisioning_api')

diff --git a/apps/provisioning_api/lib/Controller/UsersController.php b/apps/provisioning_api/lib/Controller/UsersController.php
index 95778eff366..97d94ecb407 100644
--- a/apps/provisioning_api/lib/Controller/UsersController.php
+++ b/apps/provisioning_api/lib/Controller/UsersController.php
@@ -246,6 +246,13 @@ class UsersController extends AUserData {
 		if ($currentUser === null) {
 			return new DataResponse(['users' => []]);
 		}
+		if ($limit !== null && $limit < 0) {
+			throw new InvalidArgumentException("Invalid limit value: $limit");
+		}
+		if ($offset < 0) {
+			throw new InvalidArgumentException("Invalid offset value: $offset");
+		}
+
 		$users = [];
 
 		// Admin? Or SubAdmin?
-- 
cgit v1.2.3