summaryrefslogtreecommitdiffstats
path: root/server/src
diff options
context:
space:
mode:
authorTatu Lund <tatu@vaadin.com>2021-09-30 12:09:27 +0300
committerGitHub <noreply@github.com>2021-09-30 12:09:27 +0300
commit2fc98eaf9c0e2cd42cf4a66fb6d2cd2e9f0a08a9 (patch)
tree4eebeaca167ddb182bc5e3b8df4e1fc0369afd26 /server/src
parent845e12f65fa1c07c3bf721d5a4af43da08ec5101 (diff)
downloadvaadin-framework-2fc98eaf9c0e2cd42cf4a66fb6d2cd2e9f0a08a9.tar.gz
vaadin-framework-2fc98eaf9c0e2cd42cf4a66fb6d2cd2e9f0a08a9.zip
fix: Add row limit to DataCommunicator row data requests (#12415)
* Add row limit to DataCommunicator row data requests * Add missing constant * Add unit test * Add test for extending Grid * Fixed test
Diffstat (limited to 'server/src')
-rw-r--r--server/src/main/java/com/vaadin/data/provider/DataCommunicator.java15
-rw-r--r--server/src/test/java/com/vaadin/data/provider/DataCommunicatorTest.java8
-rw-r--r--server/src/test/java/com/vaadin/tests/server/component/grid/GridTest.java19
3 files changed, 42 insertions, 0 deletions
diff --git a/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java b/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java
index 0c1dafe09e..8d974c85d3 100644
--- a/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java
+++ b/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java
@@ -60,6 +60,7 @@ import elemental.json.JsonObject;
public class DataCommunicator<T> extends AbstractExtension {
private Registration dataProviderUpdateRegistration;
+ private static final int MAXIMUM_ALLOWED_ROWS = 500;
/**
* Simple implementation of collection data provider communication. All data
@@ -306,11 +307,25 @@ public class DataCommunicator<T> extends AbstractExtension {
*/
protected void onRequestRows(int firstRowIndex, int numberOfRows,
int firstCachedRowIndex, int cacheSize) {
+ if (numberOfRows > getMaximumAllowedRows()) {
+ throw new IllegalStateException(
+ "Client tried fetch more rows than allowed. This is denied to prevent denial of service.");
+ }
setPushRows(Range.withLength(firstRowIndex, numberOfRows));
markAsDirty();
}
/**
+ * Set the maximum allowed rows to be fetched in one query.
+ *
+ * @return Maximum allowed rows for one query.
+ * @since 8.14.1
+ */
+ protected int getMaximumAllowedRows() {
+ return MAXIMUM_ALLOWED_ROWS;
+ }
+
+ /**
* Triggered when rows have been dropped from the client side cache.
*
* @param keys
diff --git a/server/src/test/java/com/vaadin/data/provider/DataCommunicatorTest.java b/server/src/test/java/com/vaadin/data/provider/DataCommunicatorTest.java
index c187c91471..ed681f298d 100644
--- a/server/src/test/java/com/vaadin/data/provider/DataCommunicatorTest.java
+++ b/server/src/test/java/com/vaadin/data/provider/DataCommunicatorTest.java
@@ -314,4 +314,12 @@ public class DataCommunicatorTest {
assertTrue("DataCommunicator should be marked as dirty",
ui.getConnectorTracker().isDirty(communicator));
}
+
+
+ @Test(expected = IllegalStateException.class)
+ public void requestTooMuchRowsFail() {
+ TestDataCommunicator communicator = new TestDataCommunicator();
+ communicator.onRequestRows(0, communicator.getMaximumAllowedRows() + 10,
+ 0, 0);
+ }
}
diff --git a/server/src/test/java/com/vaadin/tests/server/component/grid/GridTest.java b/server/src/test/java/com/vaadin/tests/server/component/grid/GridTest.java
index 5320959967..f0284b7f28 100644
--- a/server/src/test/java/com/vaadin/tests/server/component/grid/GridTest.java
+++ b/server/src/test/java/com/vaadin/tests/server/component/grid/GridTest.java
@@ -827,4 +827,23 @@ public class GridTest {
column.isSortableByUser());
}
+ @Test
+ public void extendGridCustomDataCommunicator() {
+ Grid<String> grid = new MyGrid<>();
+ }
+
+ public class MyDataCommunicator<T> extends DataCommunicator<T> {
+ @Override
+ protected int getMaximumAllowedRows() {
+ return 600;
+ }
+ }
+
+ public class MyGrid<T> extends Grid<T> {
+
+ public MyGrid() {
+ super(new MyDataCommunicator());
+ }
+
+ }
}