|
| 1 | +package org.openapitools.configuration |
| 2 | + |
| 3 | +import jakarta.validation.Constraint |
| 4 | +import jakarta.validation.ConstraintValidator |
| 5 | +import jakarta.validation.ConstraintValidatorContext |
| 6 | +import jakarta.validation.Payload |
| 7 | +import org.springframework.data.domain.Pageable |
| 8 | + |
| 9 | +/** |
| 10 | + * Validates that the page number and page size in the annotated [Pageable] parameter do not |
| 11 | + * exceed their configured maximums. |
| 12 | + * |
| 13 | + * Apply directly on a `pageable: Pageable` parameter. Each attribute is independently optional: |
| 14 | + * - [maxSize] — when set (>= 0), validates `pageable.pageSize <= maxSize` |
| 15 | + * - [maxPage] — when set (>= 0), validates `pageable.pageNumber <= maxPage` |
| 16 | + * |
| 17 | + * Use [NO_LIMIT] (= -1, the default) to leave an attribute unconstrained. |
| 18 | + * |
| 19 | + * Constraining [maxPage] is useful to prevent deep-pagination attacks, where a large page |
| 20 | + * offset (e.g. `?page=100000&size=20`) causes an expensive `OFFSET` query on the database. |
| 21 | + * |
| 22 | + * @property maxSize Maximum allowed page size, or [NO_LIMIT] if unconstrained |
| 23 | + * @property maxPage Maximum allowed page number (0-based), or [NO_LIMIT] if unconstrained |
| 24 | + * @property groups Validation groups (optional) |
| 25 | + * @property payload Additional payload (optional) |
| 26 | + * @property message Validation error message (default: "Invalid page request") |
| 27 | + */ |
| 28 | +@MustBeDocumented |
| 29 | +@Retention(AnnotationRetention.RUNTIME) |
| 30 | +@Constraint(validatedBy = [PageableConstraintValidator::class]) |
| 31 | +@Target(AnnotationTarget.VALUE_PARAMETER) |
| 32 | +annotation class ValidPageable( |
| 33 | + val maxSize: Int = ValidPageable.NO_LIMIT, |
| 34 | + val maxPage: Int = ValidPageable.NO_LIMIT, |
| 35 | + val groups: Array<kotlin.reflect.KClass<*>> = [], |
| 36 | + val payload: Array<kotlin.reflect.KClass<out Payload>> = [], |
| 37 | + val message: String = "Invalid page request" |
| 38 | +) { |
| 39 | + companion object { |
| 40 | + const val NO_LIMIT = -1 |
| 41 | + } |
| 42 | +} |
| 43 | + |
| 44 | +class PageableConstraintValidator : ConstraintValidator<ValidPageable, Pageable> { |
| 45 | + |
| 46 | + private var maxSize = ValidPageable.NO_LIMIT |
| 47 | + private var maxPage = ValidPageable.NO_LIMIT |
| 48 | + |
| 49 | + override fun initialize(constraintAnnotation: ValidPageable) { |
| 50 | + maxSize = constraintAnnotation.maxSize |
| 51 | + maxPage = constraintAnnotation.maxPage |
| 52 | + } |
| 53 | + |
| 54 | + override fun isValid(pageable: Pageable?, context: ConstraintValidatorContext): Boolean { |
| 55 | + if (pageable == null) return true |
| 56 | + |
| 57 | + var valid = true |
| 58 | + context.disableDefaultConstraintViolation() |
| 59 | + |
| 60 | + if (maxSize >= 0 && pageable.pageSize > maxSize) { |
| 61 | + context.buildConstraintViolationWithTemplate( |
| 62 | + "${context.defaultConstraintMessageTemplate}: page size ${pageable.pageSize} exceeds maximum $maxSize" |
| 63 | + ) |
| 64 | + .addPropertyNode("size") |
| 65 | + .addConstraintViolation() |
| 66 | + valid = false |
| 67 | + } |
| 68 | + |
| 69 | + if (maxPage >= 0 && pageable.pageNumber > maxPage) { |
| 70 | + context.buildConstraintViolationWithTemplate( |
| 71 | + "${context.defaultConstraintMessageTemplate}: page number ${pageable.pageNumber} exceeds maximum $maxPage" |
| 72 | + ) |
| 73 | + .addPropertyNode("page") |
| 74 | + .addConstraintViolation() |
| 75 | + valid = false |
| 76 | + } |
| 77 | + |
| 78 | + return valid |
| 79 | + } |
| 80 | +} |
0 commit comments