]> source.dussan.org Git - vaadin-framework.git/commitdiff
fix: Add row limit to DataCommunicator row data requests (#12415)
authorTatu Lund <tatu@vaadin.com>
Thu, 30 Sep 2021 09:09:27 +0000 (12:09 +0300)
committerGitHub <noreply@github.com>
Thu, 30 Sep 2021 09:09:27 +0000 (12:09 +0300)
* Add row limit to DataCommunicator row data requests

* Add missing constant

* Add unit test

* Add test for extending Grid

* Fixed test

server/src/main/java/com/vaadin/data/provider/DataCommunicator.java
server/src/test/java/com/vaadin/data/provider/DataCommunicatorTest.java
server/src/test/java/com/vaadin/tests/server/component/grid/GridTest.java

index 0c1dafe09ee7e8bb2692f11f2878131f38e33b19..8d974c85d38ca681b375d900702fa63925527fbe 100644 (file)
@@ -60,6 +60,7 @@ import elemental.json.JsonObject;
 public class DataCommunicator<T> extends AbstractExtension {
 
     private Registration dataProviderUpdateRegistration;
+    private static final int MAXIMUM_ALLOWED_ROWS = 500;
 
     /**
      * Simple implementation of collection data provider communication. All data
@@ -306,10 +307,24 @@ public class DataCommunicator<T> extends AbstractExtension {
      */
     protected void onRequestRows(int firstRowIndex, int numberOfRows,
             int firstCachedRowIndex, int cacheSize) {
+        if (numberOfRows > getMaximumAllowedRows()) {
+            throw new IllegalStateException(
+                    "Client tried fetch more rows than allowed. This is denied to prevent denial of service.");
+        }
         setPushRows(Range.withLength(firstRowIndex, numberOfRows));
         markAsDirty();
     }
 
+    /**
+     * Set the maximum allowed rows to be fetched in one query.
+     * 
+     * @return Maximum allowed rows for one query.
+     * @since 8.14.1
+     */
+    protected int getMaximumAllowedRows() {
+        return MAXIMUM_ALLOWED_ROWS;
+    }    
+
     /**
      * Triggered when rows have been dropped from the client side cache.
      *
index c187c91471068e55ebd5a0ee41a74996cbf9f259..ed681f298d7839079cfb674abc4e76334db3f1bc 100644 (file)
@@ -314,4 +314,12 @@ public class DataCommunicatorTest {
         assertTrue("DataCommunicator should be marked as dirty",
                 ui.getConnectorTracker().isDirty(communicator));
     }
+
+
+    @Test(expected = IllegalStateException.class)
+    public void requestTooMuchRowsFail() {
+        TestDataCommunicator communicator = new TestDataCommunicator();
+        communicator.onRequestRows(0, communicator.getMaximumAllowedRows() + 10,
+                0, 0);
+    }
 }
index 532095996707144522bb04188435d706d5787840..f0284b7f28572235c90524cbdb329cacb5ffaaa8 100644 (file)
@@ -827,4 +827,23 @@ public class GridTest {
                 column.isSortableByUser());
     }
 
+    @Test
+    public void extendGridCustomDataCommunicator() {
+        Grid<String> grid = new MyGrid<>();
+    }
+
+    public class MyDataCommunicator<T> extends DataCommunicator<T> {
+        @Override
+        protected int getMaximumAllowedRows() {
+            return 600;
+        }
+    }
+
+    public class MyGrid<T> extends Grid<T> {
+
+        public MyGrid() {
+            super(new MyDataCommunicator());
+        }
+
+    }
 }