From 3d2beb3319a932fa17965bffe743e633cac23d96 Mon Sep 17 00:00:00 2001
From: Andrew Gaul <andrew@gaul.org>
Date: Tue, 3 Sep 2024 23:22:57 +0200
Subject: [PATCH] Enforce limit when deleting multiple objects

Found via s3-tests.
---
 src/main/java/org/gaul/s3proxy/S3ProxyHandler.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/main/java/org/gaul/s3proxy/S3ProxyHandler.java b/src/main/java/org/gaul/s3proxy/S3ProxyHandler.java
index 94099421..094f097d 100644
--- a/src/main/java/org/gaul/s3proxy/S3ProxyHandler.java
+++ b/src/main/java/org/gaul/s3proxy/S3ProxyHandler.java
@@ -1589,6 +1589,10 @@ private void handleMultiBlobRemove(HttpServletRequest request,
             throw new S3Exception(S3ErrorCode.MALFORMED_X_M_L);
         }
 
+        if (dmor.objects.size() > 1_000) {
+            throw new S3Exception(S3ErrorCode.INVALID_ARGUMENT);
+        }
+
         Collection<String> blobNames = new ArrayList<>();
         for (DeleteMultipleObjectsRequest.S3Object s3Object :
                 dmor.objects) {