From e0b56b7495e809581a1e6447794bf7573a78af56 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Thu, 9 Jan 2020 09:36:31 +0100
Subject: [PATCH] Return an error on invalid count pagination

---
 server/initializers/constants.ts                    | 13 ++++++++++---
 server/middlewares/pagination.ts                    |  4 +---
 .../validators/activitypub/pagination.ts            |  9 +++++++--
 server/middlewares/validators/pagination.ts         |  9 +++++++--
 shared/extra-utils/requests/check-api-params.ts     | 12 ++++++++++--
 5 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts
index f4a2b358b4..8461c73200 100644
--- a/server/initializers/constants.ts
+++ b/server/initializers/constants.ts
@@ -22,9 +22,16 @@ const API_VERSION = 'v1'
 const PEERTUBE_VERSION = require(join(root(), 'package.json')).version
 
 const PAGINATION = {
-  COUNT: {
-    DEFAULT: 15,
-    MAX: 100
+  GLOBAL: {
+    COUNT: {
+      DEFAULT: 15,
+      MAX: 100
+    }
+  },
+  OUTBOX: {
+    COUNT: {
+      MAX: 50
+    }
   }
 }
 
diff --git a/server/middlewares/pagination.ts b/server/middlewares/pagination.ts
index 043869303f..b59717d7bc 100644
--- a/server/middlewares/pagination.ts
+++ b/server/middlewares/pagination.ts
@@ -5,11 +5,9 @@ function setDefaultPagination (req: express.Request, res: express.Response, next
   if (!req.query.start) req.query.start = 0
   else req.query.start = parseInt(req.query.start, 10)
 
-  if (!req.query.count) req.query.count = PAGINATION.COUNT.DEFAULT
+  if (!req.query.count) req.query.count = PAGINATION.GLOBAL.COUNT.DEFAULT
   else req.query.count = parseInt(req.query.count, 10)
 
-  if (req.query.count > PAGINATION.COUNT.MAX) req.query.count = PAGINATION.COUNT.MAX
-
   return next()
 }
 
diff --git a/server/middlewares/validators/activitypub/pagination.ts b/server/middlewares/validators/activitypub/pagination.ts
index 8b32d3415c..fa21f063d4 100644
--- a/server/middlewares/validators/activitypub/pagination.ts
+++ b/server/middlewares/validators/activitypub/pagination.ts
@@ -2,10 +2,15 @@ import * as express from 'express'
 import { query } from 'express-validator'
 import { logger } from '../../../helpers/logger'
 import { areValidationErrors } from '../utils'
+import { PAGINATION } from '@server/initializers/constants'
 
 const apPaginationValidator = [
-  query('page').optional().isInt({ min: 1 }).withMessage('Should have a valid page number'),
-  query('size').optional().isInt({ max: 50 }).withMessage('Should have a valid page size (max: 50)'),
+  query('page')
+    .optional()
+    .isInt({ min: 1 }).withMessage('Should have a valid page number'),
+  query('size')
+    .optional()
+    .isInt({ min: 0, max: PAGINATION.OUTBOX.COUNT.MAX }).withMessage(`Should have a valid page size (max: ${PAGINATION.OUTBOX.COUNT.MAX})`),
 
   (req: express.Request, res: express.Response, next: express.NextFunction) => {
     logger.debug('Checking pagination parameters', { parameters: req.query })
diff --git a/server/middlewares/validators/pagination.ts b/server/middlewares/validators/pagination.ts
index 80ae57c0bb..1cae7848c4 100644
--- a/server/middlewares/validators/pagination.ts
+++ b/server/middlewares/validators/pagination.ts
@@ -2,10 +2,15 @@ import * as express from 'express'
 import { query } from 'express-validator'
 import { logger } from '../../helpers/logger'
 import { areValidationErrors } from './utils'
+import { PAGINATION } from '@server/initializers/constants'
 
 const paginationValidator = [
-  query('start').optional().isInt({ min: 0 }).withMessage('Should have a number start'),
-  query('count').optional().isInt({ min: 0 }).withMessage('Should have a number count'),
+  query('start')
+    .optional()
+    .isInt({ min: 0 }).withMessage('Should have a number start'),
+  query('count')
+    .optional()
+    .isInt({ min: 0, max: PAGINATION.GLOBAL.COUNT.MAX }).withMessage(`Should have a number count (max: ${PAGINATION.GLOBAL.COUNT.MAX})`),
 
   (req: express.Request, res: express.Response, next: express.NextFunction) => {
     logger.debug('Checking pagination parameters', { parameters: req.query })
diff --git a/shared/extra-utils/requests/check-api-params.ts b/shared/extra-utils/requests/check-api-params.ts
index a2a549682a..c34c7c2168 100644
--- a/shared/extra-utils/requests/check-api-params.ts
+++ b/shared/extra-utils/requests/check-api-params.ts
@@ -11,14 +11,22 @@ function checkBadStartPagination (url: string, path: string, token?: string, que
   })
 }
 
-function checkBadCountPagination (url: string, path: string, token?: string, query = {}) {
-  return makeGetRequest({
+async function checkBadCountPagination (url: string, path: string, token?: string, query = {}) {
+  await makeGetRequest({
     url,
     path,
     token,
     query: immutableAssign(query, { count: 'hello' }),
     statusCodeExpected: 400
   })
+
+  await makeGetRequest({
+    url,
+    path,
+    token,
+    query: immutableAssign(query, { count: 2000 }),
+    statusCodeExpected: 400
+  })
 }
 
 function checkBadSortPagination (url: string, path: string, token?: string, query = {}) {
-- 
GitLab