Validate money change input in update_money function: Added checks to ensure the money_change value is finite before executing the database update, preventing potential serialization errors with invalid values.

2025-12-08 15:53:31 +01:00
parent b4b3b1adcc
commit ad0033031d
1 changed files with 16 additions and 1 deletions
--- a/src/worker/base.rs
+++ b/src/worker/base.rs
@@ -147,7 +147,22 @@ impl BaseWorker {
        "#;

        conn.prepare("update_money", QUERY_UPDATE_MONEY)?;
-        let _ = conn.execute("update_money", &[&falukant_user_id, &money_change, &action])?;
+        use postgres::types::ToSql;
+
+        // Validate float to avoid passing NaN/inf which the postgres client
+        // may fail to serialize with an unclear error message.
+        if !money_change.is_finite() {
+            return Err(DbError::new(format!(
+                "Ungültiger money_change: {} (not finite)",
+                money_change
+            )));
+        }
+
+        let p1: &(dyn ToSql + Sync) = &falukant_user_id;
+        let p2: &(dyn ToSql + Sync) = &money_change;
+        let p3: &(dyn ToSql + Sync) = &action;
+
+        let _ = conn.execute("update_money", &[p1, p2, p3])?;

        Ok(())
    }