plone · davisagli · Jan 14, 2025 · Jan 13, 2025 · Jan 14, 2025 · Jan 14, 2025
diff --git a/news/1855.bugfix b/news/1855.bugfix
@@ -0,0 +1 @@
+Changed bad int inputs into 500 Exceptions to 400 BadRequest so they can be filtered out of logs more easily. @djay
diff --git a/src/plone/restapi/batching.py b/src/plone/restapi/batching.py
@@ -1,7 +1,9 @@
 from plone.batching.batch import Batch
 from plone.restapi.deserializer import json_body
+from plone.restapi.exceptions import DeserializationError
 from urllib.parse import parse_qsl
 from urllib.parse import urlencode
+from zExceptions import BadRequest
 
 
 DEFAULT_BATCH_SIZE = 25
@@ -11,13 +13,15 @@ class HypermediaBatch:
     def __init__(self, request, results):
         self.request = request
 
-        self.b_start = int(json_body(self.request).get("b_start", False)) or int(
-            self.request.form.get("b_start", 0)
-        )
-        self.b_size = int(json_body(self.request).get("b_size", False)) or int(
-            self.request.form.get("b_size", DEFAULT_BATCH_SIZE)
-        )
-
+        try:
+            self.b_start = int(json_body(self.request).get("b_start", False)) or int(
+                self.request.form.get("b_start", 0)
+            )
+            self.b_size = int(json_body(self.request).get("b_size", False)) or int(
+                self.request.form.get("b_size", DEFAULT_BATCH_SIZE)
+            )
+        except (ValueError, DeserializationError) as e:
+            raise BadRequest(e)
         self.batch = Batch(results, self.b_size, self.b_start)
 
     def __iter__(self):

diff --git a/src/plone/restapi/services/navigation/get.py b/src/plone/restapi/services/navigation/get.py
@@ -17,6 +17,7 @@
 from zope.i18n import translate
 from zope.interface import implementer
 from zope.interface import Interface
+from zExceptions import BadRequest
 
 
 @implementer(IExpandableElement)
@@ -29,7 +30,10 @@ def __init__(self, context, request):
 
     def __call__(self, expand=False):
         if self.request.form.get("expand.navigation.depth", False):
-            self.depth = int(self.request.form["expand.navigation.depth"])
+            try:
+                self.depth = int(self.request.form["expand.navigation.depth"])
+            except (ValueError, TypeError) as e:
+                raise BadRequest(e)
         else:
             self.depth = 1
 

diff --git a/src/plone/restapi/tests/test_batching.py b/src/plone/restapi/tests/test_batching.py
@@ -185,6 +185,11 @@ def test_batching_links_omitted_if_resulset_fits_in_single_batch(self):
         response = self.api_session.get("/collection?b_size=100")
         self.assertNotIn("batching", list(response.json()))
 
+    def test_batching_badrequests(self):
+        response = self.api_session.get("/collection?b_size=php")
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("invalid literal for int()", response.json()["message"])
+
 
 class TestBatchingDXFolders(TestBatchingDXBase):
 

diff --git a/src/plone/restapi/tests/test_services_navigation.py b/src/plone/restapi/tests/test_services_navigation.py
@@ -239,3 +239,11 @@ def test_use_nav_title_when_available_and_set(self):
         )
 
         self.assertEqual(response.json()["items"][1]["items"][-1]["title"], nav_title)
+
+    def test_navigation_badrequests(self):
+        response = self.api_session.get(
+            "/folder/@navigation", params={"expand.navigation.depth": "php"}
+        )
+
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("invalid literal for int()", response.json()["message"])
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Changed bad int inputs into 500 Exceptions to 400 BadRequest so they can be filtered out of logs more easily. @djay