fix(source-map-debug): Make index check more robust (#53582)

this pr adds in a check to make sure frame_idx and exception_idx are integers. Resolves SENTRY-141S
getsentry · Jul 26, 2023 · 09272ea · 09272ea
1 parent 0df82e7
commit 09272ea
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 2 deletions.
diff --git a/src/sentry/api/endpoints/source_map_debug.py b/src/sentry/api/endpoints/source_map_debug.py
@@ -54,16 +54,23 @@ def get(self, request: Request, project: Project, event_id: str) -> Response:
         Return a list of source map errors for a given event.
         """
         frame_idx = request.GET.get("frame_idx")
+
         if not frame_idx:
             raise ParseError(detail="Query parameter 'frame_idx' is required")
 
-        frame_idx = int(frame_idx)
+        try:
+            frame_idx = int(frame_idx)
+        except ValueError:
+            raise ParseError(detail="Query parameter 'frame_idx' must be an integer")
 
         exception_idx = request.GET.get("exception_idx")
         if not exception_idx:
             raise ParseError(detail="Query parameter 'exception_idx' is required")
 
-        exception_idx = int(exception_idx)
+        try:
+            exception_idx = int(exception_idx)
+        except ValueError:
+            raise ParseError(detail="Query parameter 'exception_idx' must be an integer")
 
         debug_response = source_map_debug(project, event_id, exception_idx, frame_idx)
         issue, data = debug_response.issue, debug_response.data

diff --git a/tests/sentry/api/endpoints/test_source_map_debug.py b/tests/sentry/api/endpoints/test_source_map_debug.py
@@ -71,6 +71,33 @@ def test_no_frame_given(self):
         )
         assert resp.data["detail"] == "Query parameter 'frame_idx' is required"
 
+    def test_non_integer_frame_given(self):
+        event = self.store_event(
+            data={"event_id": "a" * 32, "release": "my-release"}, project_id=self.project.id
+        )
+        resp = self.get_error_response(
+            self.organization.slug,
+            self.project.slug,
+            event.event_id,
+            frame_idx="hello",
+            status_code=status.HTTP_400_BAD_REQUEST,
+        )
+        assert resp.data["detail"] == "Query parameter 'frame_idx' must be an integer"
+
+    def test_non_integer_exception_given(self):
+        event = self.store_event(
+            data={"event_id": "a" * 32, "release": "my-release"}, project_id=self.project.id
+        )
+        resp = self.get_error_response(
+            self.organization.slug,
+            self.project.slug,
+            event.event_id,
+            frame_idx=0,
+            exception_idx="hello",
+            status_code=status.HTTP_400_BAD_REQUEST,
+        )
+        assert resp.data["detail"] == "Query parameter 'exception_idx' must be an integer"
+
     def test_frame_out_of_bounds(self):
         event = self.store_event(
             data=self.base_data,