summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobin Appelman <robin@icewind.nl>2022-09-08 12:43:37 +0200
committerRobin Appelman <robin@icewind.nl>2022-09-08 13:32:01 +0200
commit3df872b9a17ddc3d9a3e25b1b4ebb5cf0f3d843f (patch)
tree61f63b6df1fbb79cd8df2acf8a2ac7c94bafa147
parent54f36610dd39fe2d1a5844013dba7504de6dc871 (diff)
downloadnextcloud-server-3df872b9a17ddc3d9a3e25b1b4ebb5cf0f3d843f.tar.gz
nextcloud-server-3df872b9a17ddc3d9a3e25b1b4ebb5cf0f3d843f.zip
add a limit to the amount of operators a client can add to a search query
Signed-off-by: Robin Appelman <robin@icewind.nl>
-rw-r--r--apps/dav/lib/Files/FileSearchBackend.php27
1 files changed, 27 insertions, 0 deletions
diff --git a/apps/dav/lib/Files/FileSearchBackend.php b/apps/dav/lib/Files/FileSearchBackend.php
index 7ee82779849..c819fa6afc6 100644
--- a/apps/dav/lib/Files/FileSearchBackend.php
+++ b/apps/dav/lib/Files/FileSearchBackend.php
@@ -55,6 +55,8 @@ use SearchDAV\Query\Order;
use SearchDAV\Query\Query;
class FileSearchBackend implements ISearchBackend {
+ const OPERATOR_LIMIT = 100;
+
/** @var CachingTree */
private $tree;
@@ -315,6 +317,11 @@ class FileSearchBackend implements ISearchBackend {
}
}
+ $operatorCount = $this->countSearchOperators($query->where);
+ if ($operatorCount > self::OPERATOR_LIMIT) {
+ throw new \InvalidArgumentException('Invalid search query, maximum operator limit of ' . self::OPERATOR_LIMIT . ' exceeded, got ' . $operatorCount . ' operators');
+ }
+
return new SearchQuery(
$this->transformSearchOperation($query->where),
(int)$limit->maxResults,
@@ -325,6 +332,26 @@ class FileSearchBackend implements ISearchBackend {
);
}
+ private function countSearchOperators(Operator $operator): int {
+ switch ($operator->type) {
+ case Operator::OPERATION_AND:
+ case Operator::OPERATION_OR:
+ case Operator::OPERATION_NOT:
+ /** @var Operator[] $arguments */
+ $arguments = $operator->arguments;
+ return array_sum(array_map([$this, 'countSearchOperators'], $arguments));
+ case Operator::OPERATION_EQUAL:
+ case Operator::OPERATION_GREATER_OR_EQUAL_THAN:
+ case Operator::OPERATION_GREATER_THAN:
+ case Operator::OPERATION_LESS_OR_EQUAL_THAN:
+ case Operator::OPERATION_LESS_THAN:
+ case Operator::OPERATION_IS_LIKE:
+ case Operator::OPERATION_IS_COLLECTION:
+ default:
+ return 1;
+ }
+ }
+
/**
* @param Order $order
* @return ISearchOrder