fix(sec): set default maximum batching size to 1000 to prevent Denial of Service

hainenber · hainenber · commit cc64042dc18d · 2024-10-29T23:23:08.000+07:00
Signed-off-by: hainenber &lt;dotronghai96@gmail.com&gt;
diff --git a/.changeset/silent-cooks-visit.md b/.changeset/silent-cooks-visit.md
@@ -0,0 +1,5 @@
+---
+'dataloader': minor
+---
+
+set default maximum batching size to 1000 to prevent Denial of Service.
diff --git a/README.md b/README.md
@@ -395,7 +395,7 @@ Create a new `DataLoader` given a batch loading function and options.
 | Option Key        | Type     | Default                                   | Description                                                                                                                                                                                |
 | ----------------- | -------- | ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | `batch`           | Boolean  | `true`                                    | Set to `false` to disable batching, invoking `batchLoadFn` with a single load key. This is equivalent to setting `maxBatchSize` to `1`.                                                    |
-| `maxBatchSize`    | Number   | `Infinity`                                | Limits the number of items that get passed in to the `batchLoadFn`. May be set to `1` to disable batching.                                                                                 |
+| `maxBatchSize`    | Number   | `1000`                                | Limits the number of items that get passed in to the `batchLoadFn`. May be set to `1` to disable batching.                                                                                 |
 | `batchScheduleFn` | Function | See [Batch scheduling](#batch-scheduling) | A function to schedule the later execution of a batch. The function is expected to call the provided callback in the immediate future.                                                     |
 | `cache`           | Boolean  | `true`                                    | Set to `false` to disable memoization caching, creating a new Promise and new key in the `batchLoadFn` for every load of the same key. This is equivalent to setting `cacheMap` to `null`. |
 | `cacheKeyFn`      | Function | `key => key`                              | Produces cache key for a given load key. Useful when objects are keys and two objects should be considered equivalent.                                                                     |
diff --git a/src/index.d.ts b/src/index.d.ts
@@ -95,7 +95,7 @@ declare namespace DataLoader {
     batch?: boolean;
 
     /**
-     * Default `Infinity`. Limits the number of items that get passed in to the
+     * Default `1000`. Limits the number of items that get passed in to the
      * `batchLoadFn`. May be set to `1` to disable batching.
      */
     maxBatchSize?: number;
diff --git a/src/index.js b/src/index.js
@@ -412,7 +412,7 @@ function getValidMaxBatchSize(options: ?Options<any, any, any>): number {
   }
   const maxBatchSize = options && options.maxBatchSize;
   if (maxBatchSize === undefined) {
-    return Infinity;
+    return 1000;
   }
   if (typeof maxBatchSize !== 'number' || maxBatchSize < 1) {
     throw new TypeError(

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'dataloader': minor
 +---
++
 +set default maximum batching size to 1000 to prevent Denial of Service.
Original file line number	Diff line number	Diff line change
`@@ -412,7 +412,7 @@ function getValidMaxBatchSize(options: ?Options<any, any, any>): number {`
`412`	`412`	`}`
`413`	`413`	`const maxBatchSize = options && options.maxBatchSize;`
`414`	`414`	`if (maxBatchSize === undefined) {`
`415`		`- return Infinity;`
	`415`	`+ return 1000;`
`416`	`416`	`}`
`417`	`417`	`if (typeof maxBatchSize !== 'number' \|\| maxBatchSize < 1) {`
`418`	`418`	`throw new TypeError(`