Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-23550

REST APIs can list all pages/spaces, leading to unavailability

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      REST API endpoints like /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties list all available pages, which can exhaust available resources on large wikis.

      Expected result:

      This kind of API shouldn't return all available pages/spaces even when a database list property is configured do list pages/spaces without limit.

      Actual result:

      High memory usage and eventual unavailability on systems with a huge number of pages/spaces (> 1 million).

      Attachments

        Issue Links

          links to

          Web Link Security Advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: