From 1a5712017bc40c0eac68b53f5fd93061a606ac65 Mon Sep 17 00:00:00 2001
From: Torsten Dittmann <torsten.dittmann@googlemail.com>
Date: Tue, 28 Dec 2021 18:57:24 +0100
Subject: [PATCH] fix: database query value limits

---
 app/controllers/api/database.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/app/controllers/api/database.php b/app/controllers/api/database.php
index 2841c6fa4..ced5de1c2 100644
--- a/app/controllers/api/database.php
+++ b/app/controllers/api/database.php
@@ -1717,7 +1717,15 @@ App::get('/v1/database/collections/:collectionId/documents')
             }
         }
 
-        $queries = \array_map(fn ($query) => Query::parse($query), $queries);
+        $queries = \array_map(function ($query) {
+            $query = Query::parse($query);
+
+            if (\count($query->getValues()) > 100) {
+                throw new Exception("You cannot use more than 100 query values on attribute '{$query->getAttribute()}'", 400);
+            }
+
+            return $query;
+        }, $queries);
 
         if (!empty($queries)) {
             $validator = new QueriesValidator(new QueryValidator($collection->getAttribute('attributes', [])), $collection->getAttribute('indexes', []), true);