Merge branch 'master' into live

aurweb/rpc.py

@@ -274,7 +274,12 @@ class RPC:
         ]
 
         # Union all subqueries together.
-        query = subqueries[0].union_all(*subqueries[1:])
+        max_results = config.getint("options", "max_rpc_results")
+        query = subqueries[0].union_all(*subqueries[1:]).limit(
+            max_results + 1).all()
+
+        if len(query) > max_results:
+            raise RPCError("Too many package results.")
 
         # Store our extra information in a class-wise dictionary,
         # which contains package id -> extra info dict mappings.
@@ -306,7 +311,11 @@ class RPC:
         search.search_by(by, arg)
 
         max_results = config.getint("options", "max_rpc_results")
-        results = self._entities(search.results()).limit(max_results)
+        results = self._entities(search.results()).limit(max_results + 1).all()
+
+        if len(results) > max_results:
+            raise RPCError("Too many package results.")
+
         return self._assemble_json_data(results, self._get_json_data)
 
     def _handle_msearch_type(self, args: List[str] = [], **kwargs)\

doc/rpc.txt

@@ -28,21 +28,27 @@ Package information can be obtained by issuing HTTP GET requests of the form
 +/rpc?v=5&type=info&arg[]=_pkg1_&arg[]=_pkg2_&...+ where _pkg1_, _pkg2_, ...
 are the names of packages to retrieve package details for.
 
-Request Types
--------------
+Request Methods
+---------------
 
-The GET method here parses arguments in an odd way due to `v=5` historically
-supporting this ordering. Later versions will remove support for this kind
-of parsing, and the POST method is our first step toward solving it.
+Historically, the `type=multiinfo` `v=5` GET request has supported a
+particular ordering of arguments. The POST request argument ordering
+cannot be guaranteed, and so its behavior is different. Differences are
+described below:
 
-* `GET`
-    - Search arguments are constructed using the last found argument(s).
-    If the last related argument is `arg[]`, we collect arguments from
-    end to start until we hit a non-`arg[]` argument. If the last related
-    argument is `arg`, it used as the one and only argument.
-* `POST`
-    - Search arguments are constructed using `[arg] + args` where
-    `args == arg[]`.
+`GET`::
+  `type=multiinfo` arguments are parsed by iterating the query string
+  from last to first key, looking for an `arg` or `arg[]`. Once one is
+  found, behavior diverges depending on which is found first: the `arg`
+  parameter is used as the sole argument or the `arg[]` parameters are
+  built into a list until a non-argument key is encountered.
+`POST (experimental)`::
+  All provided instances of `arg` and `arg[]` given to `type=multiinfo`
+  are supported in unison:
+
+  curl -d 'v=5' -d 'type=info' -d 'arg=one' -d 'arg[]=two' -d 'arg[]=three' ...
+
+All other valid query types are supported without change.
 
 Examples
 --------

test/test_rpc.py

@@ -795,3 +795,34 @@ def test_rpc_post(client: TestClient, packages: List[Package]):
         resp = request.post("/rpc", data=data)
     assert resp.status_code == int(HTTPStatus.OK)
     assert resp.json().get("resultcount") == 2
+
+
+def test_rpc_too_many_search_results(client: TestClient,
+                                     packages: List[Package]):
+    config_getint = config.getint
+
+    def mock_config(section: str, key: str):
+        if key == "max_rpc_results":
+            return 1
+        return config_getint(section, key)
+
+    params = {"v": 5, "type": "search", "arg": "chungus"}
+    with mock.patch("aurweb.config.getint", side_effect=mock_config):
+        with client as request:
+            resp = request.get("/rpc", params=params)
+    assert resp.json().get("error") == "Too many package results."
+
+
+def test_rpc_too_many_info_results(client: TestClient, packages: List[Package]):
+    config_getint = config.getint
+
+    def mock_config(section: str, key: str):
+        if key == "max_rpc_results":
+            return 1
+        return config_getint(section, key)
+
+    params = {"v": 5, "type": "info", "arg[]": [p.Name for p in packages]}
+    with mock.patch("aurweb.config.getint", side_effect=mock_config):
+        with client as request:
+            resp = request.get("/rpc", params=params)
+    assert resp.json().get("error") == "Too many package results."