aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArjun Satarkar <me@arjunsatarkar.net>2023-07-29 18:12:46 +0000
committerArjun Satarkar <me@arjunsatarkar.net>2023-07-29 18:19:33 +0000
commit0d06775761e2ea0c6268029ce33422275ba45332 (patch)
tree26d1cae1db63bb2475d851979942c33c4e2e461a
parent339c17ddaf8cb7a8228f86cd8f98c1e4bef517bd (diff)
downloadtagrss-0d06775761e2ea0c6268029ce33422275ba45332.tar
tagrss-0d06775761e2ea0c6268029ce33422275ba45332.tar.gz
tagrss-0d06775761e2ea0c6268029ce33422275ba45332.zip
Implement per-feed tag limit of 100
Seems necessary to have a limit here to avoid DoS, though of course there are several avenues for it still, which should also be addressed. 100 seems more than would be necessary for any non-pathological usage; the system is built under the assumption that tags can be loaded all at once, don't need to be paginated, etc. (unlike feeds and entries) anyway.
-rw-r--r--README.md1
-rw-r--r--pyrightconfig.json4
-rwxr-xr-xserve.py8
3 files changed, 9 insertions, 4 deletions
diff --git a/README.md b/README.md
index 96c5c2f..e0d5b1c 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,6 @@ See `LICENSE.txt` in the root of this repository for the text of the license.
* Add JS to make the feed/tag input situation work like one would normally expect rather than like it's 1985. (Progressive enhancement, though.)
* Do more user input validation
* Handle more `requests` and `feedparser` error conditions
-* Add some reasonably high internal limit on tag count
* Add support for authentication
* Allow specifying update interval on a per-feed basis
diff --git a/pyrightconfig.json b/pyrightconfig.json
index 6d8dc68..9c2d55a 100644
--- a/pyrightconfig.json
+++ b/pyrightconfig.json
@@ -1,3 +1,3 @@
{
- "typeCheckingMode": "basic",
-}
+ "typeCheckingMode": "basic"
+} \ No newline at end of file
diff --git a/serve.py b/serve.py
index c84efd6..2f49fc0 100755
--- a/serve.py
+++ b/serve.py
@@ -19,6 +19,7 @@ import tagrss
MAX_PER_PAGE_ENTRIES = 1000
DEFAULT_PER_PAGE_ENTRIES = 50
+MAX_TAGS = 100
logging.basicConfig(
format='%(levelname)s:%(name)s:"%(asctime)s":%(message)s',
@@ -40,7 +41,7 @@ core = tagrss.TagRss(storage_path=storage_path)
def parse_space_separated_tags(inp: str) -> list[str]:
- tags = set()
+ tags: set[str] = set()
tag = ""
escaped = False
for c in inp:
@@ -148,6 +149,9 @@ def add_feed_effect():
feed_source: str = bottle.request.forms.get("feed_source") # type: ignore
tags = parse_space_separated_tags(bottle.request.forms.get("tags")) # type: ignore
+ if len(tags) > MAX_TAGS:
+ raise bottle.HTTPError(400, f"A feed cannot have more than {MAX_TAGS} tags.")
+
already_present: bool = False
parsed, epoch_downloaded = tagrss.fetch_parsed_feed(feed_source)
@@ -196,6 +200,8 @@ def manage_feed_effect():
feed["title"] = bottle.request.forms["title"] # type: ignore
feed["tags"] = parse_space_separated_tags(bottle.request.forms["tags"]) # type: ignore
feed["serialised_tags"] = bottle.request.forms["tags"] # type: ignore
+ if len(feed["tags"]) > MAX_TAGS:
+ raise bottle.HTTPError(400, f"A feed cannot have more than {MAX_TAGS} tags.")
with core_lock:
core.set_feed_source(feed["id"], feed["source"])
core.set_feed_title(feed["id"], feed["title"])