From 685350ffded6af6d64fa28d922e03e2dd7686068 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Wed, 15 Apr 2026 17:11:39 -0700 Subject: [PATCH] fix(security): clamp `limit` parameter in user search The `index(string $filter = '', int $limit = 5)` method accepts client-controlled `limit` and passes it directly to collaborator search. Without an upper bound, an attacker can request very large limits, causing expensive directory lookups and increased response size. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- lib/Controller/UserApiController.php | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/Controller/UserApiController.php b/lib/Controller/UserApiController.php index 948111f6bf2..f960176f4f4 100644 --- a/lib/Controller/UserApiController.php +++ b/lib/Controller/UserApiController.php @@ -37,6 +37,7 @@ public function __construct( #[NoAdminRequired] #[RequireDocumentSession] public function index(string $filter = '', int $limit = 5): DataResponse { + $limit = min($limit, 50); $sessions = $this->sessionService->getAllSessions($this->getSession()->getDocumentId()); $users = [];