From ac22dc75e0ba8db6185b1147faa4f44f64089f34 Mon Sep 17 00:00:00 2001 From: Nicholas Molnar <65710+neekolas@users.noreply.github.com> Date: Wed, 10 Apr 2024 15:11:45 -0400 Subject: [PATCH] Add hard limit on rows per request (#370) ## tl;dr - Enforce limit on max rows per request --- pkg/api/message/v1/service.go | 7 +++++++ pkg/api/server_test.go | 20 ++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/pkg/api/message/v1/service.go b/pkg/api/message/v1/service.go index d284135e..171a611e 100644 --- a/pkg/api/message/v1/service.go +++ b/pkg/api/message/v1/service.go @@ -35,6 +35,9 @@ const ( // maxQueriesPerBatch defines the maximum number of queries we can support per batch. maxQueriesPerBatch = 50 + // maxRowsPerQuery defines the maximum number of rows we can return in a single query + maxRowsPerQuery = 100 + // maxTopicsPerQueryRequest defines the maximum number of topics that can be queried in a single request. // the number is likely to be more than we want it to be, but would be a safe place to put it - // per Test_LargeQueryTesting, the request decoding already failing before it reaches th handler. @@ -343,6 +346,10 @@ func (s *Service) Query(ctx context.Context, req *proto.QueryRequest) (*proto.Qu } } + if req.PagingInfo != nil && req.PagingInfo.Limit > maxRowsPerQuery { + return nil, status.Errorf(codes.InvalidArgument, "cannot exceed %d rows per query", maxRowsPerQuery) + } + return s.store.Query(req) } diff --git a/pkg/api/server_test.go b/pkg/api/server_test.go index dfccb10c..65137a60 100644 --- a/pkg/api/server_test.go +++ b/pkg/api/server_test.go @@ -318,6 +318,26 @@ func Test_QueryNoTopics(t *testing.T) { }) } +func Test_QueryTooManyRows(t *testing.T) { + ctx := withAuth(t, context.Background()) + testGRPCAndHTTP(t, ctx, func(t *testing.T, client messageclient.Client, _ *Server) { + queryRes, err := client.Query(ctx, &messageV1.QueryRequest{ + ContentTopics: []string{"foo"}, + PagingInfo: &messageV1.PagingInfo{ + Limit: 200, + }, + }) + grpcErr, ok := status.FromError(err) + if ok { + require.Equal(t, codes.InvalidArgument, grpcErr.Code()) + require.EqualError(t, err, `rpc error: code = InvalidArgument desc = cannot exceed 100 rows per query`) + } else { + require.Regexp(t, `400 Bad Request: {"code\":3,\s?"message":"cannot exceed 100 rows per query",\s?"details":\[\]}`, err.Error()) + } + require.Nil(t, queryRes) + }) +} + func Test_QueryNonExistentTopic(t *testing.T) { ctx := withAuth(t, context.Background()) testGRPCAndHTTP(t, ctx, func(t *testing.T, client messageclient.Client, _ *Server) {