Merge pull request #2526 from appwrite/fix-query-value-limits

fix: database query value limits
2024-05-20 12:42:39 +12:00 · 2021-12-29 15:18:49 +01:00 · 2021-12-29 15:18:49 +01:00 · 21158e5a96
parent f470f92c6a 9e88092ee8
commit 21158e5a96
2 changed files with 24 additions and 1 deletions
--- a/app/controllers/api/database.php
+++ b/app/controllers/api/database.php
@ -1717,7 +1717,15 @@ App::get('/v1/database/collections/:collectionId/documents')
            }
        }

-        $queries = \array_map(fn ($query) => Query::parse($query), $queries);
+        $queries = \array_map(function ($query) {
+            $query = Query::parse($query);
+
+            if (\count($query->getValues()) > 100) {
+                throw new Exception("You cannot use more than 100 query values on attribute '{$query->getAttribute()}'", 400);
+            }
+
+            return $query;
+        }, $queries);

        if (!empty($queries)) {
            $validator = new QueriesValidator(new QueryValidator($collection->getAttribute('attributes', [])), $collection->getAttribute('indexes', []), true);
--- a/tests/e2e/Services/Database/DatabaseBase.php
+++ b/tests/e2e/Services/Database/DatabaseBase.php
@ -1212,6 +1212,21 @@ trait DatabaseBase
        $this->assertEquals(400, $documents['headers']['status-code']);
        $this->assertEquals('Index not found: actors', $documents['body']['message']);

+        $conditions = [];
+
+        for ($i=0; $i < 101; $i++) { 
+            $conditions[] = $i;
+        }
+
+        $documents = $this->client->call(Client::METHOD_GET, '/database/collections/' . $data['moviesId'] . '/documents', array_merge([
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+        ], $this->getHeaders()), [
+            'queries' => ['releaseYear.equal(' . implode(',', $conditions) . ')'],
+        ]);
+
+        $this->assertEquals(400, $documents['headers']['status-code']);
+
        return [];
    }