Skip to content

Commit

Permalink
Cap the results.
Browse files Browse the repository at this point in the history
  • Loading branch information
@rthideaway
rthideaway committed Nov 25, 2020
1 parent 9961223 commit 5de778d
Showing 1 changed file with 14 additions and 0 deletions.
14 changes: 14 additions & 0 deletions src/Plugin/GraphQL/DataProducer/Entity/EntityQuery.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,11 @@
*/
class EntityQuery extends EntityQueryBase {

/**
* The default maximum number of items to be capped to prevent DDOS attacks.
*/
const MAX_ITEMS = 100;

/**
* Resolves the entity query.
*
Expand Down Expand Up @@ -112,6 +117,15 @@ public function resolve(string $type, int $limit, int $offset, bool $ownedOnly,

// Make sure offset is zero or positive.
$offset = max($offset, 0);

// Make sure limit is positive and cap the max items to prevent DDOS
// attacks.
if ($limit <= 0) {
$limit = 10;
}
$limit = min($limit, self::MAX_ITEMS);

// Apply offset and limit.
$query->range($offset, $limit);

// Add sorts.
Expand Down

0 comments on commit 5de778d

Please sign in to comment.