From 783e785b32f01d9e4e8113d6d58b1a77e2ff2f90 Mon Sep 17 00:00:00 2001
From: Iain Sproat <68657+iainsproat@users.noreply.github.com>
Date: Fri, 28 Jul 2023 15:17:30 +0100
Subject: [PATCH] fix(/api/diff): return 400 if greater than max objects
 (#1736)

- log a warning
- return a 400
- this is a workaround for a limitation of unsigned int-16 in database
---
 packages/server/modules/core/rest/diffUpload.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/packages/server/modules/core/rest/diffUpload.js b/packages/server/modules/core/rest/diffUpload.js
index 76161b76a..90b573b17 100644
--- a/packages/server/modules/core/rest/diffUpload.js
+++ b/packages/server/modules/core/rest/diffUpload.js
@@ -6,6 +6,8 @@ const { validatePermissionsWriteStream } = require('./authUtils')
 
 const { hasObjects } = require('../services/objects')
 
+const MAXIMUM_OBJECTS = 65536
+
 module.exports = (app) => {
   app.options('/api/diff/:streamId', corsMiddleware())
 
@@ -23,6 +25,12 @@ module.exports = (app) => {
     }
 
     const objectList = JSON.parse(req.body.objects)
+    if (objectList.length > MAXIMUM_OBJECTS) {
+      req.log.warn(
+        `User ${req.context.userId} tried to diff ${objectList.length} objects, which is greater than the maximum of ${MAXIMUM_OBJECTS}.`
+      )
+      return res.status(400).end(`Too many objects. Maximum ${MAXIMUM_OBJECTS}.`)
+    }
 
     req.log.info(`Diffing ${objectList.length} objects.`)