From 186855b5f8a3c6324845ebd17067f77dc87a896f Mon Sep 17 00:00:00 2001
From: Ramkumar Chinchani <45800463+rchincha@users.noreply.github.com>
Date: Tue, 23 Apr 2024 23:23:17 -0700
Subject: [PATCH] fix: additional input validation for CVE graphQL query
 (#2408)

It is possible to ask for a very large limit size which can exhaust
memory.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
---
 errors/errors.go                             |  1 +
 pkg/extensions/search/cve/pagination.go      |  6 ++++++
 pkg/extensions/search/cve/pagination_test.go | 17 +++++++++++++++++
 3 files changed, 24 insertions(+)

diff --git a/errors/errors.go b/errors/errors.go
index 09207d9e..e5e63ea1 100644
--- a/errors/errors.go
+++ b/errors/errors.go
@@ -117,6 +117,7 @@ var (
 	ErrEmptyDigest                    = errors.New("digest can't be empty string")
 	ErrInvalidRepoRefFormat           = errors.New("invalid image reference format, use [repo:tag] or [repo@digest]")
 	ErrLimitIsNegative                = errors.New("pagination limit has negative value")
+	ErrLimitIsExcessive               = errors.New("pagination limit has excessive value")
 	ErrOffsetIsNegative               = errors.New("pagination offset has negative value")
 	ErrSortCriteriaNotSupported       = errors.New("the pagination sort criteria is not supported")
 	ErrMediaTypeNotSupported          = errors.New("media type is not supported")
diff --git a/pkg/extensions/search/cve/pagination.go b/pkg/extensions/search/cve/pagination.go
index b5a5ab60..14d5c2f7 100644
--- a/pkg/extensions/search/cve/pagination.go
+++ b/pkg/extensions/search/cve/pagination.go
@@ -62,6 +62,8 @@ type CvePageFinder struct {
 	pageBuffer []cvemodel.CVE
 }
 
+const maxCvePageLimit = 4 * 1024
+
 func NewCvePageFinder(limit, offset int, sortBy cvemodel.SortCriteria) (*CvePageFinder, error) {
 	if sortBy == "" {
 		sortBy = SeverityDsc
@@ -71,6 +73,10 @@ func NewCvePageFinder(limit, offset int, sortBy cvemodel.SortCriteria) (*CvePage
 		return nil, zerr.ErrLimitIsNegative
 	}
 
+	if limit > maxCvePageLimit {
+		return nil, zerr.ErrLimitIsExcessive
+	}
+
 	if offset < 0 {
 		return nil, zerr.ErrOffsetIsNegative
 	}
diff --git a/pkg/extensions/search/cve/pagination_test.go b/pkg/extensions/search/cve/pagination_test.go
index 49cc28fc..53a43e29 100644
--- a/pkg/extensions/search/cve/pagination_test.go
+++ b/pkg/extensions/search/cve/pagination_test.go
@@ -415,6 +415,23 @@ func TestCVEPagination(t *testing.T) {
 					previousSeverity = severityToInt[cve.Severity]
 				}
 			})
+			Convey("bad limits", func() {
+				_, _, _, err := cveInfo.GetCVEListForImage(ctx, "repo1", "0.1.0", "", "", "", cvemodel.PageInput{
+					Limit:  -1,
+					Offset: 3,
+					SortBy: cveinfo.AlphabeticAsc,
+				},
+				)
+				So(err, ShouldNotBeNil)
+
+				_, _, _, err = cveInfo.GetCVEListForImage(ctx, "repo1", "0.1.0", "", "", "", cvemodel.PageInput{
+					Limit:  4097,
+					Offset: 3,
+					SortBy: cveinfo.AlphabeticAsc,
+				},
+				)
+				So(err, ShouldNotBeNil)
+			})
 		})
 	})
 }