From 255b5bbdb044273edf6b5e47bf9112020ee392dc Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Mon, 9 Oct 2017 16:58:37 -0400
Subject: [PATCH] abuse limits on bulk apis

---
 src/Api/Controllers/CiphersController.cs      | 20 +++++++++++++++++++
 .../Controllers/OrganizationsController.cs    |  5 +++++
 2 files changed, 25 insertions(+)

diff --git a/src/Api/Controllers/CiphersController.cs b/src/Api/Controllers/CiphersController.cs
index 4229aa0183..37482fb3d7 100644
--- a/src/Api/Controllers/CiphersController.cs
+++ b/src/Api/Controllers/CiphersController.cs
@@ -210,6 +210,11 @@ namespace Bit.Api.Controllers
         [HttpPost("import")]
         public async Task PostImport([FromBody]ImportCiphersRequestModel model)
         {
+            if(model.Ciphers.Count() > 5000 || model.FolderRelationships.Count() > 5000 || model.Folders.Count() > 200)
+            {
+                throw new BadRequestException("You cannot import this much data at once.");
+            }
+
             var userId = _userService.GetProperUserId(User).Value;
             var folders = model.Folders.Select(f => f.ToFolder(userId)).ToList();
             var ciphers = model.Ciphers.Select(c => c.ToCipherDetails(userId)).ToList();
@@ -219,6 +224,11 @@ namespace Bit.Api.Controllers
         [HttpPost("import-organization")]
         public async Task PostImport([FromQuery]string organizationId, [FromBody]ImportOrganizationCiphersRequestModel model)
         {
+            if(model.Ciphers.Count() > 5000 || model.CollectionRelationships.Count() > 5000 || model.Collections.Count() > 200)
+            {
+                throw new BadRequestException("You cannot import this much data at once.");
+            }
+
             var orgId = new Guid(organizationId);
             if(!_currentContext.OrganizationAdmin(orgId))
             {
@@ -320,6 +330,11 @@ namespace Bit.Api.Controllers
         [HttpPost("delete")]
         public async Task DeleteMany([FromBody]CipherBulkDeleteRequestModel model)
         {
+            if(model.Ids.Count() > 200)
+            {
+                throw new BadRequestException("You can only delete up to 200 items at a time.");
+            }
+
             var userId = _userService.GetProperUserId(User).Value;
             await _cipherService.DeleteManyAsync(model.Ids.Select(i => new Guid(i)), userId);
         }
@@ -328,6 +343,11 @@ namespace Bit.Api.Controllers
         [HttpPost("move")]
         public async Task MoveMany([FromBody]CipherBulkMoveRequestModel model)
         {
+            if(model.Ids.Count() > 200)
+            {
+                throw new BadRequestException("You can only move up to 200 items at a time.");
+            }
+
             var userId = _userService.GetProperUserId(User).Value;
             await _cipherService.MoveManyAsync(model.Ids.Select(i => new Guid(i)),
                 string.IsNullOrWhiteSpace(model.FolderId) ? (Guid?)null : new Guid(model.FolderId), userId);
diff --git a/src/Api/Controllers/OrganizationsController.cs b/src/Api/Controllers/OrganizationsController.cs
index b5db87c4e8..c39ed514b1 100644
--- a/src/Api/Controllers/OrganizationsController.cs
+++ b/src/Api/Controllers/OrganizationsController.cs
@@ -347,6 +347,11 @@ namespace Bit.Api.Controllers
         [HttpPost("{id}/import")]
         public async Task Import(string id, [FromBody]ImportOrganizationUsersRequestModel model)
         {
+            if(model.Groups.Count() > 200 || model.Users.Count() > 1000)
+            {
+                throw new BadRequestException("You cannot import this much data at once.");
+            }
+
             var orgIdGuid = new Guid(id);
             if(!_currentContext.OrganizationAdmin(orgIdGuid))
             {