Security: Unbounded limit parameter in user search can be abused for resource exhaustion#8476
Conversation
tomaioo
requested review from
max-nextcloud,
mejo- and
silverkszlo
as code owners
|
Hello there, We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process. Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6 Thank you for contributing to Nextcloud and we hope to hear from you soon! (If you believe you should not receive this message, you can add yourself to the blocklist.) |
The `index(string $filter = '', int $limit = 5)` method accepts client-controlled `limit` and passes it directly to collaborator search. Without an upper bound, an attacker can request very large limits, causing expensive directory lookups and increased response size. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
mejo-
force-pushed
the
fix/security/unbounded-limit-parameter-in-user-search
branch
from
5c69644 to
685350f
Compare
|
/backport to stable33 |
|
/backport to stable32 |
2 participants
Summary
Security: Unbounded
limitparameter in user search can be abused for resource exhaustionProblem
Severity:
Medium| File:lib/Controller/UserApiController.php:L39The
index(string $filter = '', int $limit = 5)method accepts client-controlledlimitand passes it directly to collaborator search. Without an upper bound, an attacker can request very large limits, causing expensive directory lookups and increased response size.Solution
Enforce a strict maximum (e.g., 10-50) for
limitbefore invoking search, and consider server-side rate limiting for this endpoint.Changes
lib/Controller/UserApiController.php(modified)