diff options
3 files changed, 42 insertions, 0 deletions
diff --git a/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java b/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java index 0c1dafe09e..8d974c85d3 100644 --- a/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java +++ b/server/src/main/java/com/vaadin/data/provider/DataCommunicator.java @@ -60,6 +60,7 @@ import elemental.json.JsonObject; public class DataCommunicator<T> extends AbstractExtension { private Registration dataProviderUpdateRegistration; + private static final int MAXIMUM_ALLOWED_ROWS = 500; /** * Simple implementation of collection data provider communication. All data @@ -306,11 +307,25 @@ public class DataCommunicator<T> extends AbstractExtension { */ protected void onRequestRows(int firstRowIndex, int numberOfRows, int firstCachedRowIndex, int cacheSize) { + if (numberOfRows > getMaximumAllowedRows()) { + throw new IllegalStateException( + "Client tried fetch more rows than allowed. This is denied to prevent denial of service."); + } setPushRows(Range.withLength(firstRowIndex, numberOfRows)); markAsDirty(); } /** + * Set the maximum allowed rows to be fetched in one query. + * + * @return Maximum allowed rows for one query. + * @since 8.14.1 + */ + protected int getMaximumAllowedRows() { + return MAXIMUM_ALLOWED_ROWS; + } + + /** * Triggered when rows have been dropped from the client side cache. * * @param keys diff --git a/server/src/test/java/com/vaadin/data/provider/DataCommunicatorTest.java b/server/src/test/java/com/vaadin/data/provider/DataCommunicatorTest.java index c187c91471..ed681f298d 100644 --- a/server/src/test/java/com/vaadin/data/provider/DataCommunicatorTest.java +++ b/server/src/test/java/com/vaadin/data/provider/DataCommunicatorTest.java @@ -314,4 +314,12 @@ public class DataCommunicatorTest { assertTrue("DataCommunicator should be marked as dirty", ui.getConnectorTracker().isDirty(communicator)); } + + + @Test(expected = IllegalStateException.class) + public void requestTooMuchRowsFail() { + TestDataCommunicator communicator = new TestDataCommunicator(); + communicator.onRequestRows(0, communicator.getMaximumAllowedRows() + 10, + 0, 0); + } } diff --git a/server/src/test/java/com/vaadin/tests/server/component/grid/GridTest.java b/server/src/test/java/com/vaadin/tests/server/component/grid/GridTest.java index 5320959967..f0284b7f28 100644 --- a/server/src/test/java/com/vaadin/tests/server/component/grid/GridTest.java +++ b/server/src/test/java/com/vaadin/tests/server/component/grid/GridTest.java @@ -827,4 +827,23 @@ public class GridTest { column.isSortableByUser()); } + @Test + public void extendGridCustomDataCommunicator() { + Grid<String> grid = new MyGrid<>(); + } + + public class MyDataCommunicator<T> extends DataCommunicator<T> { + @Override + protected int getMaximumAllowedRows() { + return 600; + } + } + + public class MyGrid<T> extends Grid<T> { + + public MyGrid() { + super(new MyDataCommunicator()); + } + + } } |