From 77358f030ab89268187b134249c95599e75d7377 Mon Sep 17 00:00:00 2001
From: Ocheretovich <ocheretovich@gmail.com>
Date: Mon, 11 May 2026 15:39:03 +0300
Subject: [PATCH] fix: validate max_items and offset query params in GET
 /history

---
 server.py | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/server.py b/server.py
index 2f3b438bb..685ec42e8 100644
--- a/server.py
+++ b/server.py
@@ -889,14 +889,22 @@ class PromptServer():
         @routes.get("/history")
         async def get_history(request):
             max_items = request.rel_url.query.get("max_items", None)
-            if max_items is not None:
+        if max_items is not None:
+            try:
                 max_items = int(max_items)
-
-            offset = request.rel_url.query.get("offset", None)
-            if offset is not None:
+                if max_items <= 0:
+                    return web.json_response({"error": "max_items must be a positive integer"}, status=400)
+            except (ValueError, TypeError):
+                return web.json_response({"error": "max_items must be an integer"}, status=400)
+        
+        offset = request.rel_url.query.get("offset", None)
+        if offset is not None:
+            try:
                 offset = int(offset)
-            else:
-                offset = -1
+            except (ValueError, TypeError):
+                return web.json_response({"error": "offset must be an integer"}, status=400)
+        else:
+            offset = -1
 
             return web.json_response(self.prompt_queue.get_history(max_items=max_items, offset=offset))