From f3de7855f90ed6785f546ed4831e3cc9d34c63ad Mon Sep 17 00:00:00 2001
From: Giorgenes Gelatti <ggelatti@gitlab.com>
Date: Thu, 15 Aug 2019 16:22:13 +1000
Subject: Limit registry tag bulk delete to 15 items

---
 app/controllers/projects/registry/tags_controller.rb | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/app/controllers/projects/registry/tags_controller.rb b/app/controllers/projects/registry/tags_controller.rb
index 633a7865cfe..54e2faa2dd7 100644
--- a/app/controllers/projects/registry/tags_controller.rb
+++ b/app/controllers/projects/registry/tags_controller.rb
@@ -5,6 +5,8 @@ module Projects
     class TagsController < ::Projects::Registry::ApplicationController
       before_action :authorize_destroy_container_image!, only: [:destroy]
 
+      LIMIT = 15
+
       def index
         respond_to do |format|
           format.json do
@@ -34,7 +36,13 @@ module Projects
           return
         end
 
-        @tags = (params[:ids] || []).map { |tag_name| image.tag(tag_name) }
+        tag_names = params[:ids] || []
+        if tag_names.size > LIMIT
+          head :bad_request
+          return
+        end
+
+        @tags = tag_names.map { |tag_name| image.tag(tag_name) }
         unless @tags.all? { |tag| tag.valid_name? }
           head :bad_request
           return
@@ -55,7 +63,7 @@ module Projects
       private
 
       def tags
-        Kaminari::PaginatableArray.new(image.tags, limit: 15)
+        Kaminari::PaginatableArray.new(image.tags, limit: LIMIT)
       end
 
       def image
-- 
cgit v1.2.1