Hourly contributions API accepts invalid day ranges

[eshaanag]

Problem

The hourly contributions endpoint reads days with Number(value) || 30 and uses it directly in date arithmetic. Negative values query a future date range, fractional values are silently accepted, and unbounded values such as Infinity or very large numbers make toISOString() throw, returning a 502 instead of a validation response.

Location

src/app/api/metrics/contributions/hourly/route.ts:20 (GET)

Evidence

• days=-30 computes a future since date.
• days=1.5 is accepted even though the range is expressed in days.
• days=Infinity and sufficiently large values produce RangeError: Invalid time value before the GitHub request.
• The main contributions, repos, and productive-hours endpoints already clamp equivalent parameters to 1..365.

Why this matters

The endpoint can generate incorrect GitHub search windows or fail with a server error for malformed client input. It also behaves inconsistently with the other metrics endpoints.

Suggested approach

Parse days as an integer, default invalid input to the existing 30-day range, and clamp valid input to 1..365 before computing the cache key and since date. Add route tests covering negative, fractional, zero, and unbounded values.

Requesting this be added to GSSoC - happy to work on it.

[shauryavardhan1307]

/assign gssoc

[Honey-pg]

/assign me under gssoc'26.

[github-actions]

Assigned to @Honey-pg! You have 7 days to open a PR. No PR after 7 days = auto-unassigned so others can pick it up. Good luck!