statamic
Validate query parameters like page and limit in REST API to avoid 500 errors
Hey Statamic team,
We're using Statamic's REST API and are encountering frequent 500 errors in our error monitoring (Rollbar) caused by invalid query parameters, usually from bot traffic or injection attempts that bypass our WAF.
One example:
GET /collections/teams/entries?sort=cnrtkn-date&page=cnrtkn3&limit=cnrtkn8`
This results in:
TypeError: Unsupported operand types: string * int
The underlying issue is that page and limit expect integers, but when a string is passed (e.g., cnrtkn3), the Laravel Query Builder throws an unhandled exception because string is passed on without any validation.
We believe it would be more appropriate for the API to validate these inputs and return a 4xx (e.g., 400 or a 422) instead of allowing them to trigger a 500 Internal Server Error.
Proposed Solution: Add validation for numeric query parameters like page and limit in the REST API to ensure they are integers before attempting to use them in the query logic.
Let us know if there's a technical reason this isn't feasible. Otherwise, we think this could improve robustness and reduce noise in error monitoring systems.
Thanks!
