Merge branch 'fix-search-dos' into 'develop'

Search: limit number of results (prevent DoS) See merge request pleroma/pleroma!3563
author: Alex Gleason <alex@alexgleason.me> 2021-12-19 17:30:52 +0000
committer: Alex Gleason <alex@alexgleason.me> 2021-12-19 17:30:52 +0000
commit: 7c1d804554cd361753f4d6f2d0ac27a9281c885f (patch)
tree: 7a8ecec10664380c75abd87f1126ce0efe29a5f5
parent: b686d68cdbe8465148aae4dfc21ec1ec151d04ab (diff)
parent: 108dfd1f87087e9bb61bffa310ddb67a58d5336a (diff)
download: pleroma-7c1d804554cd361753f4d6f2d0ac27a9281c885f.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/pleroma/web/mastodon_api/controllers/search_controller.ex b/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
index 64b177eb3..1459fc492 100644
--- a/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
@@ -17,6 +17,8 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
 
   require Logger
 
+  @search_limit 40
+
   plug(Pleroma.Web.ApiSpec.CastAndValidate)
 
   # Note: Mastodon doesn't allow unauthenticated access (requires read:accounts / read:search)
@@ -77,7 +79,7 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
     [
       resolve: params[:resolve],
       following: params[:following],
-      limit: params[:limit],
+      limit: min(params[:limit], @search_limit),
       offset: params[:offset],
       type: params[:type],
       author: get_author(params),
author	Alex Gleason <alex@alexgleason.me>	2021-12-19 17:30:52 +0000
committer	Alex Gleason <alex@alexgleason.me>	2021-12-19 17:30:52 +0000
commit	7c1d804554cd361753f4d6f2d0ac27a9281c885f (patch)
tree	7a8ecec10664380c75abd87f1126ce0efe29a5f5
parent	b686d68cdbe8465148aae4dfc21ec1ec151d04ab (diff)
parent	108dfd1f87087e9bb61bffa310ddb67a58d5336a (diff)
download	pleroma-7c1d804554cd361753f4d6f2d0ac27a9281c885f.tar.gz