From 04668bab4640eab410a090ed4d31db574d6bcdc9 Mon Sep 17 00:00:00 2001
From: Chris Blanchard <chris@iddqd.org>
Date: Tue, 29 Dec 2015 02:23:56 +0000
Subject: [PATCH] Constrain user input on limit

---
 config/routes.js             |  5 ++++-
 spec/messages.integration.js | 28 +++++++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/config/routes.js b/config/routes.js
index c30b78c..09e2089 100644
--- a/config/routes.js
+++ b/config/routes.js
@@ -31,8 +31,11 @@ module.exports = app => {
 	});
 
 	app.get("/api/messages", (request, response) => {
-		const limit = parseInt(request.query.limit, 10) || 250;
 		const page = parseInt(request.query.page, 10) || 0;
+
+		let limit = parseInt(request.query.limit, 10) || 250;
+		if (limit > 250 || limit < 1) limit = 250;
+
 		let query = {};
 		let searchTerm = request.query.query;
 		if (searchTerm) {
diff --git a/spec/messages.integration.js b/spec/messages.integration.js
index 42d0085..28abbd9 100644
--- a/spec/messages.integration.js
+++ b/spec/messages.integration.js
@@ -71,7 +71,33 @@ describe("Messages", () => {
 						done();
 					});
 			});
-			it ("returns a maximum of last 250 messages");
+			it ("returns a maximum of last 250 messages", done => {
+				async.times(250, (n, next) => {
+					Message.create({
+						author: {
+							username: user.username,
+							avatar: user.avatar
+						},
+						content: "Message " + n
+					}, next);
+				}, (error) => {
+					if (error) return done(error);
+					request(app)
+						.get("/api/messages")
+						.query({
+							limit: 251
+						})
+						.expect("Content-Type", /json/)
+						.expect(200)
+						.end((error, response) => {
+							if (error) return done(error);
+							let result = response.body;
+							assert.equal(result.messages.length, 250);
+							assert.equal(result.limit, 250);
+							done();
+						});
+				});
+			});
 			it ("is sensitive to pagination", done => {
 				request(app)
 					.get("/api/messages")