Date range validation does not enforce MAX_PAGINATION_MONTH_DATE_RANGE for user-provided dates #2015
Description
Description
When a user provides start_date and end_date query parameters that exceed MAX_PAGINATION_MONTH_DATE_RANGE (default: 1, test used 3), the API accepts the request and returns results instead of rejecting with 400.
Root Cause
In pkg/net/http/httputils.go, the validateDates function uses MAX_PAGINATION_MONTH_DATE_RANGE only to compute the default date range when no dates are provided. When the user explicitly provides both start_date and end_date, the function validates:
- Both dates present (not just one)
- Valid date format
- Start date before end date
But it never checks whether the range between the two dates exceeds MAX_PAGINATION_MONTH_DATE_RANGE.
Affected Endpoints
All list endpoints that use validateDates via ValidateParameters.
Expected Behavior
When user-provided start_date to end_date exceeds the configured max range, return HTTP 400 with a structured error.
Suggested Fix
Add a range check after the existing validations:
if maxDateRangeMonths != 0 {
maxEnd := startDate.AddDate(0, maxDateRangeMonths, 0)
if endDate.After(maxEnd) {
return pkg.ValidateBusinessError(constant.ErrInvalidDateRange, "")
}
}