From 3d1cb137d97f0221f6e241f1dd4effb099afc5ed Mon Sep 17 00:00:00 2001
From: Tpt <thomas@pellissier-tanon.fr>
Date: Mon, 9 Sep 2019 16:47:49 +0200
Subject: [PATCH] Limits SPARQL query size

Avoids simple DDOS attack of posting very big queries
---
 server/src/main.rs | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/server/src/main.rs b/server/src/main.rs
index d198932c..eef999c5 100644
--- a/server/src/main.rs
+++ b/server/src/main.rs
@@ -13,6 +13,7 @@ use rudf::{
 use std::io::{BufReader, Read};
 use std::sync::Arc;
 
+const MAX_SPARQL_BODY_SIZE: u64 = 1048576;
 const HTML_ROOT_PAGE: &str = include_str!("../templates/query.html");
 
 pub fn main() {
@@ -95,15 +96,19 @@ fn handle_request<R: RepositoryConnection>(
             request,
         ),
         ("/query", "POST") => {
-            if let Some(mut body) = request.data() {
+            if let Some(body) = request.data() {
                 if let Some(content_type) = request.header("Content-Type") {
                     if content_type.starts_with("application/sparql-query") {
                         let mut buffer = String::default();
-                        body.read_to_string(&mut buffer).unwrap();
+                        body.take(MAX_SPARQL_BODY_SIZE)
+                            .read_to_string(&mut buffer)
+                            .unwrap();
                         evaluate_sparql_query(connection, &buffer, request)
                     } else if content_type.starts_with("application/x-www-form-urlencoded") {
                         let mut buffer = Vec::default();
-                        body.read_to_end(&mut buffer).unwrap();
+                        body.take(MAX_SPARQL_BODY_SIZE)
+                            .read_to_end(&mut buffer)
+                            .unwrap();
                         evaluate_urlencoded_sparql_query(connection, &buffer, request)
                     } else {
                         Response::text(format!(