From 68a08a3613bd1e549178d9462d23185a740f099a Mon Sep 17 00:00:00 2001
From: Thomas Horner <thomas.horner@highpointwx.com>
Date: Tue, 28 Mar 2023 23:19:05 -0600
Subject: [PATCH] fix: handle invalid json in openapi query params gracefully

---
 packages/server/src/openapi/index.ts | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/packages/server/src/openapi/index.ts b/packages/server/src/openapi/index.ts
index 3f1dfc09f..13f40edef 100644
--- a/packages/server/src/openapi/index.ts
+++ b/packages/server/src/openapi/index.ts
@@ -138,7 +138,11 @@ export async function handleRequest({
             if (method !== 'GET') {
                 return { status: 400, body: { message: 'invalid request method, only GET is supported' } };
             }
-            args = query?.q ? unmarshal(query.q as string) : {};
+            try {
+                args = query?.q ? unmarshal(query.q as string) : {};
+            } catch {
+                return { status: 400, body: { message: 'query param must contain valid JSON' } };
+            }
             break;
 
         case 'update':
@@ -158,7 +162,11 @@ export async function handleRequest({
             if (method !== 'DELETE') {
                 return { status: 400, body: { message: 'invalid request method, only DELETE is supported' } };
             }
-            args = query?.q ? unmarshal(query.q as string) : {};
+            try {
+                args = query?.q ? unmarshal(query.q as string) : {};
+            } catch {
+                return { status: 400, body: { message: 'query param must contain valid JSON' } };
+            }
             break;
 
         default: