Edited `nova.api.openstack.common:limited` method to raise an HTTPBadRequest

exception if a negative limit or offset is given. I'm not confident that this
is the correct approach, because I guess this method could be called out of
an API/WSGI context, but the method *is* located in the OpenStack API module
and is currently only used in WSGI-capable methods, so we should be safe.

2 files changed, 28 insertions, 1 deletions

diff --git a/nova/api/openstack/common.py b/nova/api/openstack/common.py
index 1dc3767e2..9f85c5c8a 100644
--- a/nova/api/openstack/common.py
+++ b/nova/api/openstack/common.py
@@ -15,6 +15,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import webob.exc
+
 from nova import exception
 
 
@@ -27,7 +29,8 @@ def limited(items, request, max_limit=1000):
                     GET variables. 'offset' is where to start in the list,
                     and 'limit' is the maximum number of items to return. If
                     'limit' is not specified, 0, or > max_limit, we default
-                    to max_limit.
+                    to max_limit. Negative values for either offset or limit
+                    will cause exc.HTTPBadRequest() exceptions to be raised.
     @kwarg max_limit: The maximum number of items to return from 'items'
     """
     try:
@@ -40,6 +43,9 @@ def limited(items, request, max_limit=1000):
     except ValueError:
         limit = max_limit
 
+    if offset < 0 or limit < 0:
+        raise webob.exc.HTTPBadRequest()
+
     limit = min(max_limit, limit or max_limit)
     range_end = offset + limit
     return items[offset:range_end]
diff --git a/nova/tests/api/openstack/test_common.py b/nova/tests/api/openstack/test_common.py
index 59d850157..92023362c 100644
--- a/nova/tests/api/openstack/test_common.py
+++ b/nova/tests/api/openstack/test_common.py
@@ -19,6 +19,7 @@
 Test suites for 'common' code used throughout the OpenStack HTTP API.
 """
 
+import webob.exc
 
 from webob import Request
 
@@ -160,3 +161,23 @@ class LimiterTest(test.TestCase):
         self.assertEqual(limited(items, req, max_limit=2000), items[3:])
         req = Request.blank('/?offset=3000&limit=10')
         self.assertEqual(limited(items, req, max_limit=2000), [])
+
+    def test_limiter_negative_limit(self):
+        """
+        Test a negative limit.
+        """
+        def _limit_large():
+            limited(self.large, req, max_limit=2000)
+
+        req = Request.blank('/?limit=-3000')
+        self.assertRaises(webob.exc.HTTPBadRequest, _limit_large)
+
+    def test_limiter_negative_offset(self):
+        """
+        Test a negative offset.
+        """
+        def _limit_large():
+            limited(self.large, req, max_limit=2000)
+
+        req = Request.blank('/?offset=-30')
+        self.assertRaises(webob.exc.HTTPBadRequest, _limit_large)