All elements are returned if pageSize = 0 in splite of new option maxPageSize in PageableHandlerMethodArgumentResolver introduced from v1.6.
Consider the example below
@ContextConfiguration
@RunWith(SpringJUnit4ClassRunner.class)
@Transactional
@TransactionConfiguration(defaultRollback = true)
public class CustomerRepositoryTest {
@Inject
protected CustomerRepository customerRepository;
@Test
public void testFindAllPageable() {
System.out.println(customerRepository.findAll(new PageRequest(0, 3)));
System.out.println(customerRepository.findAll(new PageRequest(0, 0)));
System.out.println(customerRepository.findAll(new PageRequest(0, -1)));
}
}
Fist case, only 3 elements are returned with the following SQL
5. /* select count(*) from Customer as generatedAlias0 */ select count(*) as col_0_0_ from customer customer0_ {executed in 5 msec}
5. /* select generatedAlias0 from Customer as generatedAlias0 */ select customer0_.customer_code as customer1_3_, customer0_.customer_add as customer2_3_, customer0_.customer_birth as customer3_3_, customer0_.customer_job as customer4_3_, customer0_.customer_kana as customer5_3_, customer0_.customer_mail as customer6_3_, customer0_.customer_name as customer7_3_, customer0_.customer_pass as customer8_3_, customer0_.customer_post as customer9_3_, customer0_.customer_tel as custome10_3_ from customer customer0_ limit 3 {executed in 8 msec}
Third case, IllegalArgumentException is thrown with a message, "Page size must not be less than zero!".
I think these are correct result.
However, in second case, all elements are returned with the following SQL
5. /* select count(*) from Customer as generatedAlias0 */ select count(*) as col_0_0_ from customer customer0_ {executed in 2 msec}
5. /* select generatedAlias0 from Customer as generatedAlias0 */ select customer0_.customer_code as customer1_3_, customer0_.customer_add as customer2_3_, customer0_.customer_birth as customer3_3_, customer0_.customer_job as customer4_3_, customer0_.customer_kana as customer5_3_, customer0_.customer_mail as customer6_3_, customer0_.customer_name as customer7_3_, customer0_.customer_pass as customer8_3_, customer0_.customer_post as customer9_3_, customer0_.customer_tel as custome10_3_ from customer customer0_ {executed in 7 msec}
Note that there is no 'limit' statement.
I'm afraid tha it will cause OutOfMemoryError easily and weak for DDoS atack.
I think it's better to throw IllegalArgumentException if pageSize=0 or replace pageSize by maxPageSize.
Toshiaki Maki opened DATACMNS-377 and commented
All elements are returned if pageSize = 0 in splite of new option
maxPageSizeinPageableHandlerMethodArgumentResolverintroduced from v1.6.Consider the example below
Fist case, only 3 elements are returned with the following SQL
Third case,
IllegalArgumentExceptionis thrown with a message, "Page size must not be less than zero!".I think these are correct result.
However, in second case, all elements are returned with the following SQL
Note that there is no 'limit' statement.
I'm afraid tha it will cause OutOfMemoryError easily and weak for DDoS atack.
I think it's better to throw IllegalArgumentException if
pageSize=0 or replacepageSizebymaxPageSize.Affects: 1.6.1
Backported to: 1.6.3 (Babbage SR2)
2 votes, 4 watchers
The text was updated successfully, but these errors were encountered: