fix(gateway): reject invalid session history limit with 400 instead of coercing to 1#109743
Conversation
…f coercing to 1
resolveLimit in sessions-history-http.ts silently coerced invalid limit
query parameters to 1: non-numeric strings (Number.NaN) and values
below 1 all became limit=1 without any signal to the caller that the
input was malformed. A request like ?limit=abc returned the latest
message as if the caller had asked for limit=1, hiding bugs in
pagination callers that computed invalid limits.
Return a { limit?, error? } result from resolveLimit and reply with
400 invalid_request_error when the limit is non-numeric, below 1, or
exceeds the finite integer range. Valid limits continue to be clamped
to MAX_SESSION_HISTORY_LIMIT as before.
Add regression tests covering non-numeric (?limit=abc) and zero
(?limit=0) inputs. Both now return 400 instead of silently producing
a single-message response.
|
Codex review: needs real behavior proof before merge. Reviewed July 17, 2026, 12:25 PM ET / 16:25 UTC. Summary PR surface: Source +7, Tests +23. Total +30 across 2 files. Reproducibility: yes. from source: current main maps non-numeric and below-one Review metrics: 1 noteworthy metric.
Stored data model Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Proof guidance:
Risk before merge
Maintainer options:
Next step before merge
Maintainer decision needed
Security Review findings
Review detailsBest possible solution: Reject non-digit, below-one, non-finite, and non-safe-integer limits before clamping; add focused coverage for every claimed invalid class, then approve the HTTP contract change only after a redacted real Gateway transcript proves invalid, valid, and clamped requests. Do we have a high-confidence way to reproduce the issue? Yes from source: current main maps non-numeric and below-one Is this the best way to solve the issue? No in its current form: strict validation is the right layer, but the implementation must reject unsafe integers before clamping and prove the actual endpoint behavior; the compatibility decision remains human-owned. Full review comments:
Overall correctness: patch is incorrect AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against 4bfaccafd62a. Label changesLabel justifications:
Evidence reviewedPR surface: Source +7, Tests +23. Total +30 across 2 files. View PR surface stats
What I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
Review history (3 earlier review cycles)
|
|
Maintainer pass complete on exact head
Best-fix verdict: the direct Gateway handler owns this query contract; the shared strict parser owns numeric conversion; the narrow digit-only overflow branch preserves shipped compatibility. Ready for exact-head CI and repo-native prepare/merge. @clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. Re-review progress:
|
|
Merged via squash.
|
…f coercing to 1 (openclaw#109743) * fix(gateway): reject invalid session history limit with 400 instead of coercing to 1 resolveLimit in sessions-history-http.ts silently coerced invalid limit query parameters to 1: non-numeric strings (Number.NaN) and values below 1 all became limit=1 without any signal to the caller that the input was malformed. A request like ?limit=abc returned the latest message as if the caller had asked for limit=1, hiding bugs in pagination callers that computed invalid limits. Return a { limit?, error? } result from resolveLimit and reply with 400 invalid_request_error when the limit is non-numeric, below 1, or exceeds the finite integer range. Valid limits continue to be clamped to MAX_SESSION_HISTORY_LIMIT as before. Add regression tests covering non-numeric (?limit=abc) and zero (?limit=0) inputs. Both now return 400 instead of silently producing a single-message response. * fix(gateway): validate session history limits --------- Co-authored-by: Patrick Erichsen <patrick.a.erichsen@gmail.com>
What Problem This Solves
The direct Gateway session-history endpoint silently treated invalid
limitquery values as1. Requests such as?limit=abc,?limit=0, negative values, and decimals returned HTTP 200 with one message, hiding caller bugs.Why This Change Was Made
The endpoint now uses
parseStrictPositiveIntegerfrom@openclaw/normalization-core/number-coercionand the sharedResulttype:limitremains optional;invalid_request_error;MAX_SESSION_HISTORY_LIMIT;The fix stays in the raw Node Gateway handler. It does not add a route framework or a shared query helper.
User Impact
Clients now receive an explicit HTTP 400 for invalid explicit limits instead of a misleading one-message success response. Valid requests are unchanged, including the existing oversized all-digit clamp to 1,000 messages.
Evidence
Exact maintainer head:
df3793296fd5a8a5b9eab38c55362a889786e27f.tbx_01kxrgxeq6yk40m74jf3z76xt2: 9 focused Gateway HTTP tests passed for empty, whitespace, malformed, zero, negative, fractional, valid bounded (1,+1), and oversized-clamped values.git diff --checkpassed.check:changedpassed formatting, core/core-test typechecks, changed-file lint, dependency checks, and architecture guards before the Testbox transport ended with exit 255 during later generic guards; no check failure was reported.origin/mainSHA8a8706cb5d0448fe2a15b1afae81bfe419322e55, while all changed limit tests passed.