From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Sat, 2 Aug 2025 13:23:04 +0000 (-0400)
Subject: Validate page bounds
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3d92f202b00e43c986b31b9c5c7412ec0460898f;p=thirdparty%2Fpaperless-ngx.git

Validate page bounds
---

diff --git a/src/documents/serialisers.py b/src/documents/serialisers.py
index 5c06232ef..5a9c089f3 100644
--- a/src/documents/serialisers.py
+++ b/src/documents/serialisers.py
@@ -1524,7 +1524,7 @@ class BulkEditSerializer(
         else:
             parameters["archive_fallback"] = False
 
-    def _validate_parameters_edit_pdf(self, parameters):
+    def _validate_parameters_edit_pdf(self, parameters, document_id):
         if "operations" not in parameters:
             raise serializers.ValidationError("operations not specified")
         if not isinstance(parameters["operations"], list):
@@ -1556,6 +1556,15 @@ class BulkEditSerializer(
                     "update_document only allowed with a single output document",
                 )
 
+        doc = Document.objects.get(id=document_id)
+        # doc existence is already validated
+        if doc.page_count:
+            for op in parameters["operations"]:
+                if op["page"] < 1 or op["page"] > doc.page_count:
+                    raise serializers.ValidationError(
+                        f"Page {op['page']} is out of bounds for document with {doc.page_count} pages.",
+                    )
+
     def validate(self, attrs):
         method = attrs["method"]
         parameters = attrs["parameters"]
@@ -1595,7 +1604,7 @@ class BulkEditSerializer(
                 raise serializers.ValidationError(
                     "Edit PDF method only supports one document",
                 )
-            self._validate_parameters_edit_pdf(parameters)
+            self._validate_parameters_edit_pdf(parameters, attrs["documents"][0])
 
         return attrs
 
diff --git a/src/documents/tests/test_api_bulk_edit.py b/src/documents/tests/test_api_bulk_edit.py
index 7e636b0c7..31aaff946 100644
--- a/src/documents/tests/test_api_bulk_edit.py
+++ b/src/documents/tests/test_api_bulk_edit.py
@@ -41,6 +41,7 @@ class TestBulkEditAPI(DirectoriesMixin, APITestCase):
             title="B",
             correspondent=self.c1,
             document_type=self.dt1,
+            page_count=5,
         )
         self.doc3 = Document.objects.create(
             checksum="C",
@@ -1555,6 +1556,32 @@ class TestBulkEditAPI(DirectoriesMixin, APITestCase):
             response.content,
         )
 
+    @mock.patch("documents.serialisers.bulk_edit.edit_pdf")
+    def test_edit_pdf_page_out_of_bounds(self, m):
+        """
+        GIVEN:
+            - API data for editing PDF is called
+            - The page number is out of bounds
+        WHEN:
+            - API is called
+        THEN:
+            - The API fails with a correct error code
+        """
+        self.setup_mock(m, "edit_pdf")
+        response = self.client.post(
+            "/api/documents/bulk_edit/",
+            json.dumps(
+                {
+                    "documents": [self.doc2.id],
+                    "method": "edit_pdf",
+                    "parameters": {"operations": [{"page": 99}]},
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn(b"out of bounds", response.content)
+
     @override_settings(AUDIT_LOG_ENABLED=True)
     def test_bulk_edit_audit_log_enabled_simple_field(self):
         """