fix sql injection vulnerability in get_song_relations 😅

app/api/songs.py

@@ -62,7 +62,11 @@ def new_song():
 
 @api.route('/songs/<int:id>/related')
 def get_song_relations(id):
-    top = request.args.get('top')
+    top_str = request.args.get('top')
+    if not top_str.isdigit() or not int(top_str) > 0:
+        message = 'top query param must be an int greater than 0'
+        return bad_request(message)
+    top = int(request.args.get('top'))
     song = Song.query.filter_by(id=id).first()
     if not song:
         return route_not_found(song)

test/api/test_song_relations.py

@@ -331,3 +331,22 @@ def test_song_relation_get_related_songs(self):
         assert len(res.json) == 1
         assert res.json[0]['id'] == self.songs['edm'][1]['id']
 
+    def test_get_song_relations_top_query_param(self):
+        song_id = self.songs['edm'][0]['id']
+        res = self.client.get(url_for('api.get_song_relations', id=song_id, top=0),
+                              content_type='application/json')
+        assert res.status_code == 400
+        assert res.json['error'] == 'bad request'
+        assert res.json['message'] == 'top query param must be an int greater than 0'
+
+        res = self.client.get(url_for('api.get_song_relations', id=song_id, top=-1),
+                              content_type='application/json')
+        assert res.status_code == 400
+        assert res.json['error'] == 'bad request'
+        assert res.json['message'] == 'top query param must be an int greater than 0'
+
+        res = self.client.get(url_for('api.get_song_relations', id=song_id, top='10; select * from users'),
+                              content_type='application/json')
+        assert res.status_code == 400
+        assert res.json['error'] == 'bad request'
+        assert res.json['message'] == 'top query param must be an int greater than 0'