From aad4eaedcb94da8c8d6903bb9fec937aaa78a52e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Sas=C3=A1k?= <tsasak@redhat.com>
Date: Mon, 27 Nov 2023 14:13:34 +0100
Subject: [PATCH] feat(manager): limit page size to 100

---
 manager/base.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/manager/base.py b/manager/base.py
index 4a234e270..667acd934 100644
--- a/manager/base.py
+++ b/manager/base.py
@@ -58,6 +58,7 @@
 
 IDENTITY_HEADER = "x-rh-identity"
 DEFAULT_PAGE_SIZE = 20
+MAXIMUM_PAGE_SIZE = 100
 DEFAULT_BUSINESS_RISK = "Not Defined"
 DEFAULT_STATUS = "Not Reviewed"
 CVE_SYNOPSIS_SORT = [fn.SUBSTRING(SQL("cve_name"), r"-(\d+)-").cast("integer"),
@@ -274,7 +275,10 @@ def _parse_list_arguments(cls, kwargs):
 
         data_format = kwargs.get("data_format", "json")
         if data_format not in ["json", "csv"]:
-            raise InvalidArgumentException("Invalid data format: %s" % kwargs.get("data_format", None))
+            raise InvalidArgumentException(f"Invalid data format: {kwargs.get('data_format', None)}")
+
+        if limit > MAXIMUM_PAGE_SIZE and UI_REFERER not in connexion.request.headers.get("referer", ""):
+            raise InvalidArgumentException(f"Page limit of size: {limit} is too high, maximum is {MAXIMUM_PAGE_SIZE}")
 
         return {
             "filter": remove_str_nulls(kwargs.get("filter", None)),