fix(cortex-cli): validate PR numbers locally before API calls

factorydroid · factorydroid · commit 389a3192ed06 · 2026-01-26T19:20:09.000+04:00
Fixes bounty issue #1611

Added local validation for PR numbers in the pr command to prevent
wasting GitHub API rate limit quota on obviously invalid PR numbers.
The validation rejects zero and numbers exceeding 10 million, which
are unlikely to be valid PR numbers.
diff --git a/cortex-cli/src/pr_cmd.rs b/cortex-cli/src/pr_cmd.rs
@@ -53,6 +53,27 @@ fn validate_refspec(refspec: &str) -> Result<()> {
     Ok(())
 }
 
+/// Maximum reasonable PR number threshold.
+/// GitHub PR numbers are sequential and unlikely to exceed this value.
+/// This prevents wasting API calls on obviously invalid PR numbers.
+const MAX_REASONABLE_PR_NUMBER: u64 = 10_000_000;
+
+/// Validates that a PR number is within a reasonable range before making API calls.
+/// This prevents wasting API rate limit quota on obviously invalid PR numbers.
+fn validate_pr_number(pr_number: u64) -> Result<()> {
+    if pr_number == 0 {
+        bail!("Invalid PR number: PR numbers must be greater than 0.");
+    }
+    if pr_number > MAX_REASONABLE_PR_NUMBER {
+        bail!(
+            "Invalid PR number: {} exceeds the maximum reasonable PR number ({}).",
+            pr_number,
+            MAX_REASONABLE_PR_NUMBER
+        );
+    }
+    Ok(())
+}
+
 /// Pull Request CLI.
 #[derive(Debug, Parser)]
 pub struct PrCli {
@@ -90,6 +111,9 @@ async fn run_pr_checkout(args: PrCli) -> Result<()> {
     let repo_path = args.path.unwrap_or_else(|| PathBuf::from("."));
     let pr_number = args.number;
 
+    // Validate PR number locally before making any API calls
+    validate_pr_number(pr_number)?;
+
     // Change to repo directory
     std::env::set_current_dir(&repo_path)
         .with_context(|| format!("Failed to change to directory: {}", repo_path.display()))?;
@@ -342,4 +366,43 @@ mod tests {
         assert_eq!(owner, "Cortex-ai");
         assert_eq!(repo, "Cortex");
     }
+
+    #[test]
+    fn test_validate_pr_number_valid() {
+        assert!(validate_pr_number(1).is_ok());
+        assert!(validate_pr_number(100).is_ok());
+        assert!(validate_pr_number(12345).is_ok());
+        assert!(validate_pr_number(MAX_REASONABLE_PR_NUMBER).is_ok());
+    }
+
+    #[test]
+    fn test_validate_pr_number_zero() {
+        let result = validate_pr_number(0);
+        assert!(result.is_err());
+        assert!(
+            result
+                .unwrap_err()
+                .to_string()
+                .contains("must be greater than 0")
+        );
+    }
+
+    #[test]
+    fn test_validate_pr_number_too_large() {
+        let result = validate_pr_number(999_999_999_999);
+        assert!(result.is_err());
+        assert!(
+            result
+                .unwrap_err()
+                .to_string()
+                .contains("exceeds the maximum")
+        );
+    }
+
+    #[test]
+    fn test_validate_pr_number_boundary() {
+        // Just above the limit should fail
+        let result = validate_pr_number(MAX_REASONABLE_PR_NUMBER + 1);
+        assert!(result.is_err());
+    }
 }
