Reject queries that have too many operators (#37200)

goffrie · Convex, Inc. · commit 4f212093a6d9 · 2025-05-10T01:42:08.000Z
GitOrigin-RevId: 4ed1a3de30568fdcd65e892efb99babf3977fc67
diff --git a/crates/common/src/json/query.rs b/crates/common/src/json/query.rs
@@ -21,6 +21,7 @@ use crate::{
         QuerySource,
         Search,
         SearchFilterExpression,
+        MAX_QUERY_OPERATORS,
     },
     types::{
         IndexName,
@@ -298,6 +299,11 @@ impl TryFrom<JsonValue> for Query {
 
     fn try_from(value: JsonValue) -> Result<Self> {
         let json_query: JsonQuery = serde_json::from_value(value)?;
+        anyhow::ensure!(
+            json_query.operators.len() <= MAX_QUERY_OPERATORS,
+            "Query has too many operators: {}",
+            json_query.operators.len()
+        );
         Ok(Query {
             source: json_query.source.try_into()?,
             operators: json_query
diff --git a/crates/common/src/query.rs b/crates/common/src/query.rs
@@ -1018,6 +1018,14 @@ pub enum QueryOperator {
     Limit(usize),
 }
 
+/// The maximum number of `QueryOperator`s allowed on a single query.
+/// This is only enforced for queries deserialized from JSON as we assume other
+/// queries come from the system.
+///
+/// N.B.: this value is replicated in `query_impl.ts` in the `convex` npm
+/// package.
+pub const MAX_QUERY_OPERATORS: usize = 256;
+
 /// A query, represented as a source and a chain of operators to apply as a lazy
 /// iteration.
 #[derive(Clone, Debug, PartialEq)]
diff --git a/npm-packages/convex/src/server/impl/query_impl.ts b/npm-packages/convex/src/server/impl/query_impl.ts
@@ -19,6 +19,8 @@ import {
 import { validateArg, validateArgIsNonNegativeInteger } from "./validate.js";
 import { version } from "../../index.js";
 
+const MAX_QUERY_OPERATORS = 256;
+
 type QueryOperator = { filter: JSONValue } | { limit: number };
 type Source =
   | { type: "FullTableScan"; tableName: string; order: "asc" | "desc" | null }
@@ -223,6 +225,11 @@ export class QueryImpl implements Query<GenericTableInfo> {
   ): any {
     validateArg(predicate, 1, "filter", "predicate");
     const query = this.takeQuery();
+    if (query.operators.length >= MAX_QUERY_OPERATORS) {
+      throw new Error(
+        `Can't construct query with more than ${MAX_QUERY_OPERATORS} operators`,
+      );
+    }
     query.operators.push({
       filter: serializeExpression(predicate(filterBuilderImpl)),
     });
