reduce attack vector for 'complex' queries when doing autocomplete wi…

…th photon
graphhopper · Sep 9, 2023 · 72aa771 · 72aa771
1 parent 9923e70
commit 72aa771
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/src/main/java/com/graphhopper/converter/resources/ConverterResourcePhoton.java b/src/main/java/com/graphhopper/converter/resources/ConverterResourcePhoton.java
@@ -46,6 +46,11 @@ public Response handle(@QueryParam("q") @DefaultValue("") String query,
         limit = fixLimit(limit);
         checkInvalidParameter(reverse, query, point);
 
+        if (query.length() > 300)
+            throw new BadRequestException("q parameter cannot be longer than 300 characters");
+        if (countSpaces(query) > 30)
+            throw new BadRequestException("q parameter cannot contain more than 30 spaces");
+
         WebTarget target;
         if (reverse) {
             target = buildReverseTarget();
@@ -100,6 +105,16 @@ public Response handle(@QueryParam("q") @DefaultValue("") String query,
         }
     }
 
+    public static int countSpaces(String input) {
+        int spaceCount = 0;
+        for (int i = 0; i < input.length(); i++) {
+            if (input.charAt(i) == ' ') {
+                spaceCount++;
+            }
+        }
+        return spaceCount;
+    }
+
     private WebTarget buildForwardTarget(String query) {
         return jerseyClient.
                 target(photonUrl).

diff --git a/src/test/java/com/graphhopper/converter/resource/ConverterResourcePhotonTest.java b/src/test/java/com/graphhopper/converter/resource/ConverterResourcePhotonTest.java
@@ -127,6 +127,16 @@ public void testReverseWithOSMTags() {
         assertEquals("Newark Liberty International Airport", entry.getHits().get(0).getName());
     }
 
+    @Test
+    public void testLongQuery() {
+        Response response = client.target(String.format("http://localhost:%d/photon?q=hh+hh+hhh+hh+hh+hhh+hh+hh+hhh+hh+hhhh+hh+hhh+hh+hh+hhh+hh+hh+hhh+hh+hhhh+hh+hhh+hh+hh+hhh+hh+hh+hhh+hh+hh+hh", RULE.getLocalPort()))
+                .request()
+                .get();
+
+        assertThat(response.getStatus()).isEqualTo(400);
+        assertThat(response.readEntity(String.class)).contains("q parameter cannot contain more than 30 spaces");
+    }
+
     @Test
     public void testCorrectLocale() {
         Response response = client.target(