diff options
author | Arjun Satarkar <me@arjunsatarkar.net> | 2023-07-29 18:12:46 +0000 |
---|---|---|
committer | Arjun Satarkar <me@arjunsatarkar.net> | 2023-07-29 18:19:33 +0000 |
commit | 0d06775761e2ea0c6268029ce33422275ba45332 (patch) | |
tree | 26d1cae1db63bb2475d851979942c33c4e2e461a | |
parent | 339c17ddaf8cb7a8228f86cd8f98c1e4bef517bd (diff) | |
download | tagrss-0d06775761e2ea0c6268029ce33422275ba45332.tar tagrss-0d06775761e2ea0c6268029ce33422275ba45332.tar.gz tagrss-0d06775761e2ea0c6268029ce33422275ba45332.zip |
Implement per-feed tag limit of 100
Seems necessary to have a limit here to avoid DoS, though of course there are
several avenues for it still, which should also be addressed. 100 seems more
than would be necessary for any non-pathological usage; the system is built
under the assumption that tags can be loaded all at once, don't need to be
paginated, etc. (unlike feeds and entries) anyway.
-rw-r--r-- | README.md | 1 | ||||
-rw-r--r-- | pyrightconfig.json | 4 | ||||
-rwxr-xr-x | serve.py | 8 |
3 files changed, 9 insertions, 4 deletions
@@ -17,7 +17,6 @@ See `LICENSE.txt` in the root of this repository for the text of the license. * Add JS to make the feed/tag input situation work like one would normally expect rather than like it's 1985. (Progressive enhancement, though.) * Do more user input validation * Handle more `requests` and `feedparser` error conditions -* Add some reasonably high internal limit on tag count * Add support for authentication * Allow specifying update interval on a per-feed basis diff --git a/pyrightconfig.json b/pyrightconfig.json index 6d8dc68..9c2d55a 100644 --- a/pyrightconfig.json +++ b/pyrightconfig.json @@ -1,3 +1,3 @@ { - "typeCheckingMode": "basic", -} + "typeCheckingMode": "basic" +}
\ No newline at end of file @@ -19,6 +19,7 @@ import tagrss MAX_PER_PAGE_ENTRIES = 1000 DEFAULT_PER_PAGE_ENTRIES = 50 +MAX_TAGS = 100 logging.basicConfig( format='%(levelname)s:%(name)s:"%(asctime)s":%(message)s', @@ -40,7 +41,7 @@ core = tagrss.TagRss(storage_path=storage_path) def parse_space_separated_tags(inp: str) -> list[str]: - tags = set() + tags: set[str] = set() tag = "" escaped = False for c in inp: @@ -148,6 +149,9 @@ def add_feed_effect(): feed_source: str = bottle.request.forms.get("feed_source") # type: ignore tags = parse_space_separated_tags(bottle.request.forms.get("tags")) # type: ignore + if len(tags) > MAX_TAGS: + raise bottle.HTTPError(400, f"A feed cannot have more than {MAX_TAGS} tags.") + already_present: bool = False parsed, epoch_downloaded = tagrss.fetch_parsed_feed(feed_source) @@ -196,6 +200,8 @@ def manage_feed_effect(): feed["title"] = bottle.request.forms["title"] # type: ignore feed["tags"] = parse_space_separated_tags(bottle.request.forms["tags"]) # type: ignore feed["serialised_tags"] = bottle.request.forms["tags"] # type: ignore + if len(feed["tags"]) > MAX_TAGS: + raise bottle.HTTPError(400, f"A feed cannot have more than {MAX_TAGS} tags.") with core_lock: core.set_feed_source(feed["id"], feed["source"]) core.set_feed_title(feed["id"], feed["title"]) |