From aadb8a3ad8ce420dcfc4b696fc58e43f95698467 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=9Cmeet=2Eghodasara=E2=80=9D?=
 <“meet.ghodasara@crestdatasys.com”>
Date: Wed, 6 Nov 2024 18:02:36 +0530
Subject: [PATCH] Add default and max pagination limit support to prevent large
 response errors on manifest and object endpoints

---
 opentaxii/config.py    | 2 ++
 opentaxii/defaults.yml | 2 ++
 opentaxii/server.py    | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/opentaxii/config.py b/opentaxii/config.py
index b8f2f87a..548cb723 100644
--- a/opentaxii/config.py
+++ b/opentaxii/config.py
@@ -64,6 +64,8 @@ class ServerConfig(dict):
         "title",
         "public_discovery",
         "allow_custom_properties",
+        "max_pagination_limit",
+        "default_pagination_limit"
     )
     ALL_VALID_OPTIONS = VALID_BASE_OPTIONS + VALID_TAXII_OPTIONS + VALID_TAXII1_OPTIONS
 
diff --git a/opentaxii/defaults.yml b/opentaxii/defaults.yml
index 214e866a..d1cda737 100644
--- a/opentaxii/defaults.yml
+++ b/opentaxii/defaults.yml
@@ -26,6 +26,8 @@ taxii1:
       create_tables: yes
 
 taxii2:
+  default_pagination_limit: 10
+  max_pagination_limit: 1000
 
 logging:
   opentaxii: info
diff --git a/opentaxii/server.py b/opentaxii/server.py
index 928ae033..fefb236f 100644
--- a/opentaxii/server.py
+++ b/opentaxii/server.py
@@ -599,6 +599,7 @@ def collection_handler(self, api_root_id, collection_id_or_alias):
     )
     def manifest_handler(self, api_root_id, collection_id_or_alias):
         filter_params = validate_list_filter_params(request.args, self.persistence.api)
+        filter_params["limit"] = self.config.get("max_pagination_limit") if filter_params.get("limit", self.config.get("max_pagination_limit")) > self.config.get("max_pagination_limit") else filter_params.get("limit", self.config.get("default_pagination_limit"))
         try:
             manifest, more = self.persistence.get_manifest(
                 api_root_id=api_root_id,
@@ -652,6 +653,7 @@ def objects_handler(self, api_root_id, collection_id_or_alias):
 
     def objects_get_handler(self, api_root_id, collection_id_or_alias):
         filter_params = validate_list_filter_params(request.args, self.persistence.api)
+        filter_params["limit"] = self.config.get("max_pagination_limit") if filter_params.get("limit", self.config.get("max_pagination_limit")) > self.config.get("max_pagination_limit") else filter_params.get("limit", self.config.get("default_pagination_limit"))
         try:
             objects, more, next_param = self.persistence.get_objects(
                 api_root_id=api_root_id,