fix: Add row limit to DataCommunicator row data requests (#12415)

* Add row limit to DataCommunicator row data requests

* Add missing constant

* Add unit test

* Add test for extending Grid

* Fixed test

3 files changed, 42 insertions, 0 deletions

diff --git a/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java b/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java
index 0c1dafe09e..8d974c85d3 100644
--- a/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java
+++ b/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java
@@ -60,6 +60,7 @@ import elemental.json.JsonObject;
 public class DataCommunicator<T> extends AbstractExtension {
 
     private Registration dataProviderUpdateRegistration;
+    private static final int MAXIMUM_ALLOWED_ROWS = 500;
 
     /**
      * Simple implementation of collection data provider communication. All data
@@ -306,11 +307,25 @@ public class DataCommunicator<T> extends AbstractExtension {
      */
     protected void onRequestRows(int firstRowIndex, int numberOfRows,
             int firstCachedRowIndex, int cacheSize) {
+        if (numberOfRows > getMaximumAllowedRows()) {
+            throw new IllegalStateException(
+                    "Client tried fetch more rows than allowed. This is denied to prevent denial of service.");
+        }
         setPushRows(Range.withLength(firstRowIndex, numberOfRows));
         markAsDirty();
     }
 
     /**
+     * Set the maximum allowed rows to be fetched in one query.
+     * 
+     * @return Maximum allowed rows for one query.
+     * @since 8.14.1
+     */
+    protected int getMaximumAllowedRows() {
+        return MAXIMUM_ALLOWED_ROWS;
+    }    
+
+    /**
      * Triggered when rows have been dropped from the client side cache.
      *
      * @param keys
diff --git a/server/src/test/java/com/vaadin/data/provider/DataCommunicatorTest.java b/server/src/test/java/com/vaadin/data/provider/DataCommunicatorTest.java
index c187c91471..ed681f298d 100644
--- a/server/src/test/java/com/vaadin/data/provider/DataCommunicatorTest.java
+++ b/server/src/test/java/com/vaadin/data/provider/DataCommunicatorTest.java
@@ -314,4 +314,12 @@ public class DataCommunicatorTest {
         assertTrue("DataCommunicator should be marked as dirty",
                 ui.getConnectorTracker().isDirty(communicator));
     }
+
+
+    @Test(expected = IllegalStateException.class)
+    public void requestTooMuchRowsFail() {
+        TestDataCommunicator communicator = new TestDataCommunicator();
+        communicator.onRequestRows(0, communicator.getMaximumAllowedRows() + 10,
+                0, 0);
+    }
 }
diff --git a/server/src/test/java/com/vaadin/tests/server/component/grid/GridTest.java b/server/src/test/java/com/vaadin/tests/server/component/grid/GridTest.java
index 5320959967..f0284b7f28 100644
--- a/server/src/test/java/com/vaadin/tests/server/component/grid/GridTest.java
+++ b/server/src/test/java/com/vaadin/tests/server/component/grid/GridTest.java
@@ -827,4 +827,23 @@ public class GridTest {
                 column.isSortableByUser());
     }
 
+    @Test
+    public void extendGridCustomDataCommunicator() {
+        Grid<String> grid = new MyGrid<>();
+    }
+
+    public class MyDataCommunicator<T> extends DataCommunicator<T> {
+        @Override
+        protected int getMaximumAllowedRows() {
+            return 600;
+        }
+    }
+
+    public class MyGrid<T> extends Grid<T> {
+
+        public MyGrid() {
+            super(new MyDataCommunicator());
+        }
+
+    }
 }