From 72aa771bc14bbf0a8a471ddd72e4fd824dad4873 Mon Sep 17 00:00:00 2001
From: Peter <graphhopper@gmx.de>
Date: Sat, 9 Sep 2023 11:47:10 +0200
Subject: [PATCH] reduce attack vector for 'complex' queries when doing
 autocomplete with photon

---
 .../resources/ConverterResourcePhoton.java        | 15 +++++++++++++++
 .../resource/ConverterResourcePhotonTest.java     | 10 ++++++++++
 2 files changed, 25 insertions(+)

diff --git a/src/main/java/com/graphhopper/converter/resources/ConverterResourcePhoton.java b/src/main/java/com/graphhopper/converter/resources/ConverterResourcePhoton.java
index f9e914e..16e36c0 100644
--- a/src/main/java/com/graphhopper/converter/resources/ConverterResourcePhoton.java
+++ b/src/main/java/com/graphhopper/converter/resources/ConverterResourcePhoton.java
@@ -46,6 +46,11 @@ public Response handle(@QueryParam("q") @DefaultValue("") String query,
         limit = fixLimit(limit);
         checkInvalidParameter(reverse, query, point);
 
+        if (query.length() > 300)
+            throw new BadRequestException("q parameter cannot be longer than 300 characters");
+        if (countSpaces(query) > 30)
+            throw new BadRequestException("q parameter cannot contain more than 30 spaces");
+
         WebTarget target;
         if (reverse) {
             target = buildReverseTarget();
@@ -100,6 +105,16 @@ public Response handle(@QueryParam("q") @DefaultValue("") String query,
         }
     }
 
+    public static int countSpaces(String input) {
+        int spaceCount = 0;
+        for (int i = 0; i < input.length(); i++) {
+            if (input.charAt(i) == ' ') {
+                spaceCount++;
+            }
+        }
+        return spaceCount;
+    }
+
     private WebTarget buildForwardTarget(String query) {
         return jerseyClient.
                 target(photonUrl).
diff --git a/src/test/java/com/graphhopper/converter/resource/ConverterResourcePhotonTest.java b/src/test/java/com/graphhopper/converter/resource/ConverterResourcePhotonTest.java
index b2f8329..539e881 100644
--- a/src/test/java/com/graphhopper/converter/resource/ConverterResourcePhotonTest.java
+++ b/src/test/java/com/graphhopper/converter/resource/ConverterResourcePhotonTest.java
@@ -127,6 +127,16 @@ public void testReverseWithOSMTags() {
         assertEquals("Newark Liberty International Airport", entry.getHits().get(0).getName());
     }
 
+    @Test
+    public void testLongQuery() {
+        Response response = client.target(String.format("http://localhost:%d/photon?q=hh+hh+hhh+hh+hh+hhh+hh+hh+hhh+hh+hhhh+hh+hhh+hh+hh+hhh+hh+hh+hhh+hh+hhhh+hh+hhh+hh+hh+hhh+hh+hh+hhh+hh+hh+hh", RULE.getLocalPort()))
+                .request()
+                .get();
+
+        assertThat(response.getStatus()).isEqualTo(400);
+        assertThat(response.readEntity(String.class)).contains("q parameter cannot contain more than 30 spaces");
+    }
+
     @Test
     public void testCorrectLocale() {
         Response response = client.target(