From ad0033031d90d8c630c57b7daf6e65eb996f9788 Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Mon, 8 Dec 2025 15:53:31 +0100
Subject: [PATCH] Validate money change input in update_money function: Added
 checks to ensure the money_change value is finite before executing the
 database update, preventing potential serialization errors with invalid
 values.

---
 src/worker/base.rs | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/worker/base.rs b/src/worker/base.rs
index ae291e4..9caed4b 100644
--- a/src/worker/base.rs
+++ b/src/worker/base.rs
@@ -147,7 +147,22 @@ impl BaseWorker {
         "#;
 
         conn.prepare("update_money", QUERY_UPDATE_MONEY)?;
-        let _ = conn.execute("update_money", &[&falukant_user_id, &money_change, &action])?;
+        use postgres::types::ToSql;
+
+        // Validate float to avoid passing NaN/inf which the postgres client
+        // may fail to serialize with an unclear error message.
+        if !money_change.is_finite() {
+            return Err(DbError::new(format!(
+                "Ungültiger money_change: {} (not finite)",
+                money_change
+            )));
+        }
+
+        let p1: &(dyn ToSql + Sync) = &falukant_user_id;
+        let p2: &(dyn ToSql + Sync) = &money_change;
+        let p3: &(dyn ToSql + Sync) = &action;
+
+        let _ = conn.execute("update_money", &[p1, p2, p3])?;
 
         Ok(())
     }