fix: bound co-owner invites per request (#9300)

domodwyer · web-flow · commit 11ccce044b6b · 2024-08-22T06:17:06.000+02:00
Bound the number of co-owner invites that can be sent in a single API
request, effectively bounding the work done per request.

This limits the number of iterations the N^2 membership test loop has to
perform, limiting the amount of CPU time and memory needed for both it
and the subsequent database queries per invitee.
diff --git a/src/controllers/krate/owners.rs b/src/controllers/krate/owners.rs
@@ -108,6 +108,14 @@ async fn modify_owners(
 ) -> AppResult<Json<Value>> {
     let logins = body.owners;
 
+    // Bound the number of invites processed per request to limit the cost of
+    // processing them all.
+    if logins.len() > 10 {
+        return Err(bad_request(
+            "too many invites for this request - maximum 10",
+        ));
+    }
+
     let conn = app.db_write().await?;
     spawn_blocking(move || {
         let conn: &mut AsyncConnectionWrapper<_> = &mut conn.into();
diff --git a/src/tests/routes/crates/owners/add.rs b/src/tests/routes/crates/owners/add.rs
@@ -353,3 +353,22 @@ async fn test_unknown_team() {
     assert_eq!(response.status(), StatusCode::BAD_REQUEST);
     assert_snapshot!(response.text(), @r###"{"errors":[{"detail":"could not find the github team unknown/unknown. Make sure that you have the right permissions in GitHub. See https://doc.rust-lang.org/cargo/reference/publishing.html#github-permissions"}]}"###);
 }
+
+#[tokio::test(flavor = "multi_thread")]
+async fn max_invites_per_request() {
+    let (app, _, _, owner) = TestApp::init().with_token();
+    app.db(|conn| CrateBuilder::new("crate_name", owner.as_model().user_id).expect_build(conn));
+
+    let usernames = (0..11)
+        .map(|i| format!("user_{i}"))
+        .collect::<Vec<String>>();
+
+    // Populate enough users in the database to submit 11 invites at once.
+    for user in &usernames {
+        app.db_new_user(user);
+    }
+
+    let response = owner.add_named_owners("crate_name", &usernames).await;
+    assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+    assert_snapshot!(response.text(), @r#"{"errors":[{"detail":"too many invites for this request - maximum 10"}]}"#);
+}
diff --git a/src/tests/util.rs b/src/tests/util.rs
@@ -332,7 +332,10 @@ impl MockTokenUser {
     }
 
     /// Add to the specified crate the specified owners.
-    pub async fn add_named_owners(&self, krate_name: &str, owners: &[&str]) -> Response<OkBool> {
+    pub async fn add_named_owners<T>(&self, krate_name: &str, owners: &[T]) -> Response<OkBool>
+    where
+        T: serde::Serialize,
+    {
         let url = format!("/api/v1/crates/{krate_name}/owners");
         let body = json!({ "owners": owners }).to_string();
         self.put(&url, body).await
