Changing state of notifications via API results in internal server error 500

[matusf]

Description

Hi, I've been fuzzing Gitea with openapi-fuzzer and found, that sending a PUT request to /api/v1/notifications endpoint with invalid last_read_at query parameter causes the Gitea to respond with internal server error 500 status code.

request & response

curl -X PUT -H "Authorization: token $TOKEN" 'http://127.0.0.1:3000/api/v1/notifications?last_read_at=x'
{
  "message": "parsing time \"x\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"x\" as \"2006\"",
  "url": "http://localhost:3000/api/swagger"
}

logs

2023/06/27 23:59:09 ...pi/v1/notify/user.go:135:ReadNotifications() [E] [649b5bad] InternalServerError: parsing time "x" as "2006-01-02T15:04:05Z07:00": cannot parse "x" as "2006"
2023/06/27 23:59:09 [649b5bad] router: completed PUT /api/v1/notifications?last_read_at=x for 127.0.0.1:47256, 500 Internal Server Error in 20.1ms @ notify/user.go:93(notify.ReadNotifications)

Gitea Version

1.19.3

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

linux

How are you running Gitea?

• I downloaded Gitea from Github
• I run it from command-line
• did not use a package or systemd

Database

SQLite

[Zettat123]

Maybe we should return BadRequest here?

gitea/routers/api/v1/notify/user.go

Lines 132 to 137 in b943318

	if len(qLastRead) > 0 {
	tmpLastRead, err := time.Parse(time.RFC3339, qLastRead)
	if err != nil {
	ctx.InternalServerError(err)
	return
	}