Verified Commit 51d4b7f9 authored by Kevin Morris's avatar Kevin Morris
Browse files

fix(rpc): limit Package results, not relationships

...This was an obvious bug in hindsight. Apologies :(

Closes #314

Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
parent 1e31db47
...@@ -202,7 +202,12 @@ class RPC: ...@@ -202,7 +202,12 @@ class RPC:
models.User.ID == models.PackageBase.MaintainerUID, models.User.ID == models.PackageBase.MaintainerUID,
isouter=True isouter=True
).filter(models.Package.Name.in_(args)) ).filter(models.Package.Name.in_(args))
packages = self._entities(packages)
max_results = config.getint("options", "max_rpc_results")
packages = self._entities(packages).limit(max_results + 1)
if packages.count() > max_results:
raise RPCError("Too many package results.")
ids = {pkg.ID for pkg in packages} ids = {pkg.ID for pkg in packages}
...@@ -274,12 +279,7 @@ class RPC: ...@@ -274,12 +279,7 @@ class RPC:
] ]
# Union all subqueries together. # Union all subqueries together.
max_results = config.getint("options", "max_rpc_results") query = subqueries[0].union_all(*subqueries[1:]).all()
query = subqueries[0].union_all(*subqueries[1:]).limit(
max_results + 1).all()
if len(query) > max_results:
raise RPCError("Too many package results.")
# Store our extra information in a class-wise dictionary, # Store our extra information in a class-wise dictionary,
# which contains package id -> extra info dict mappings. # which contains package id -> extra info dict mappings.
......
...@@ -15,6 +15,7 @@ import aurweb.models.relation_type as rt ...@@ -15,6 +15,7 @@ import aurweb.models.relation_type as rt
from aurweb import asgi, config, db, rpc, scripts, time from aurweb import asgi, config, db, rpc, scripts, time
from aurweb.models.account_type import USER_ID from aurweb.models.account_type import USER_ID
from aurweb.models.dependency_type import DEPENDS_ID
from aurweb.models.license import License from aurweb.models.license import License
from aurweb.models.package import Package from aurweb.models.package import Package
from aurweb.models.package_base import PackageBase from aurweb.models.package_base import PackageBase
...@@ -23,6 +24,7 @@ from aurweb.models.package_keyword import PackageKeyword ...@@ -23,6 +24,7 @@ from aurweb.models.package_keyword import PackageKeyword
from aurweb.models.package_license import PackageLicense from aurweb.models.package_license import PackageLicense
from aurweb.models.package_relation import PackageRelation from aurweb.models.package_relation import PackageRelation
from aurweb.models.package_vote import PackageVote from aurweb.models.package_vote import PackageVote
from aurweb.models.relation_type import PROVIDES_ID
from aurweb.models.user import User from aurweb.models.user import User
from aurweb.redis import redis_connection from aurweb.redis import redis_connection
...@@ -814,6 +816,16 @@ def test_rpc_too_many_search_results(client: TestClient, ...@@ -814,6 +816,16 @@ def test_rpc_too_many_search_results(client: TestClient,
def test_rpc_too_many_info_results(client: TestClient, packages: List[Package]): def test_rpc_too_many_info_results(client: TestClient, packages: List[Package]):
# Make many of these packages depend and rely on each other.
# This way, we can test to see that the exceeded limit stays true
# regardless of the number of related records.
with db.begin():
for i in range(len(packages) - 1):
db.create(PackageDependency, DepTypeID=DEPENDS_ID,
Package=packages[i], DepName=packages[i + 1].Name)
db.create(PackageRelation, RelTypeID=PROVIDES_ID,
Package=packages[i], RelName=packages[i + 1].Name)
config_getint = config.getint config_getint = config.getint
def mock_config(section: str, key: str): def mock_config(section: str, key: str):
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment