From 2fbb51ceb29bfb1435625cdeb7c4cca5d8f5a049 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Sun, 11 Aug 2024 14:59:46 +0200 Subject: [PATCH] git-grep: ensure bounded default for MatchesPerFile Analogously to how it happens for MaxResultLimit. The default of 20 is inspired by a well-known, commercial code hosting platform. Unbounded limits are risky because they expose Forgejo to a class of DoS attacks where queries are crafted to take advantage of missing bounds. --- modules/git/grep.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/git/grep.go b/modules/git/grep.go index ba870e0541..bf65e86b8e 100644 --- a/modules/git/grep.go +++ b/modules/git/grep.go @@ -67,9 +67,8 @@ func GrepSearch(ctx context.Context, repo *Repository, search string, opts GrepO "--null", "--break", "--heading", "--column", "--fixed-strings", "--line-number", "--ignore-case", "--full-name") cmd.AddOptionValues("--context", fmt.Sprint(opts.ContextLineNumber)) - if opts.MatchesPerFile > 0 { - cmd.AddOptionValues("--max-count", fmt.Sprint(opts.MatchesPerFile)) - } + opts.MatchesPerFile = cmp.Or(opts.MatchesPerFile, 20) + cmd.AddOptionValues("--max-count", fmt.Sprint(opts.MatchesPerFile)) words := []string{search} if opts.IsFuzzy { words = strings.Fields(search)