fix: Add row limit to DataCommunicator row data requests (#12415)

* Add row limit to DataCommunicator row data requests

* Add missing constant

* Add unit test

* Add test for extending Grid

* Fixed test

1 files changed, 15 insertions, 0 deletions

diff --git a/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java b/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java
index 0c1dafe09e..8d974c85d3 100644
--- a/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java
+++ b/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java
@@ -60,6 +60,7 @@ import elemental.json.JsonObject;
 public class DataCommunicator<T> extends AbstractExtension {
 
     private Registration dataProviderUpdateRegistration;
+    private static final int MAXIMUM_ALLOWED_ROWS = 500;
 
     /**
      * Simple implementation of collection data provider communication. All data
@@ -306,11 +307,25 @@ public class DataCommunicator<T> extends AbstractExtension {
      */
     protected void onRequestRows(int firstRowIndex, int numberOfRows,
             int firstCachedRowIndex, int cacheSize) {
+        if (numberOfRows > getMaximumAllowedRows()) {
+            throw new IllegalStateException(
+                    "Client tried fetch more rows than allowed. This is denied to prevent denial of service.");
+        }
         setPushRows(Range.withLength(firstRowIndex, numberOfRows));
         markAsDirty();
     }
 
     /**
+     * Set the maximum allowed rows to be fetched in one query.
+     * 
+     * @return Maximum allowed rows for one query.
+     * @since 8.14.1
+     */
+    protected int getMaximumAllowedRows() {
+        return MAXIMUM_ALLOWED_ROWS;
+    }    
+
+    /**
      * Triggered when rows have been dropped from the client side cache.
      *
      * @param keys