fix: handle invalid json in openapi query params gracefully

potion-cellar · potion-cellar · commit 68a08a3613bd · 2023-03-28T23:19:05.000-06:00
diff --git a/packages/server/src/openapi/index.ts b/packages/server/src/openapi/index.ts
@@ -138,7 +138,11 @@ export async function handleRequest({
             if (method !== 'GET') {
                 return { status: 400, body: { message: 'invalid request method, only GET is supported' } };
             }
-            args = query?.q ? unmarshal(query.q as string) : {};
+            try {
+                args = query?.q ? unmarshal(query.q as string) : {};
+            } catch {
+                return { status: 400, body: { message: 'query param must contain valid JSON' } };
+            }
             break;
 
         case 'update':
@@ -158,7 +162,11 @@ export async function handleRequest({
             if (method !== 'DELETE') {
                 return { status: 400, body: { message: 'invalid request method, only DELETE is supported' } };
             }
-            args = query?.q ? unmarshal(query.q as string) : {};
+            try {
+                args = query?.q ? unmarshal(query.q as string) : {};
+            } catch {
+                return { status: 400, body: { message: 'query param must contain valid JSON' } };
+            }
             break;
 
         default:
