Test for anti-DoS for expand

The only response from the server is a 400 Signed-off-by: David Greaves <david@dgreaves.com>
2025-08-04 18:22:26 +00:00 · 2025-07-08 15:08:44 +01:00 · 2025-07-08 15:08:44 +01:00 · 3f4f405554
commit 3f4f405554
parent 61850d9b13
2 changed files with 63 additions and 1 deletions
--- a/radicale/tests/static/event_daily_rrule_forever.ics
+++ b/radicale/tests/static/event_daily_rrule_forever.ics
@ -0,0 +1,28 @@
+BEGIN:VCALENDAR
+VERSION:2.0
+BEGIN:VTIMEZONE
+LAST-MODIFIED:20040110T032845Z
+TZID:US/Eastern
+BEGIN:DAYLIGHT
+DTSTART:20000404T020000
+RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4
+TZNAME:EDT
+TZOFFSETFROM:-0500
+TZOFFSETTO:-0400
+END:DAYLIGHT
+BEGIN:STANDARD
+DTSTART:20001026T020000
+RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
+TZNAME:EST
+TZOFFSETFROM:-0400
+TZOFFSETTO:-0500
+END:STANDARD
+END:VTIMEZONE
+BEGIN:VEVENT
+DTSTART;TZID=US/Eastern:20060102T120000
+DURATION:PT1H
+RRULE:FREQ=DAILY
+SUMMARY:Recurring event
+UID:event_daily_rrule_forever
+END:VEVENT
+END:VCALENDAR
--- a/radicale/tests/test_expand.py
+++ b/radicale/tests/test_expand.py
@ -23,7 +23,7 @@ Radicale tests with expand requests.
 """

 import os
-from typing import ClassVar, List
+from typing import ClassVar, List, Optional
 from xml.etree import ElementTree

 from radicale.log import logger
@ -154,6 +154,7 @@ permissions: RrWw""")

        _, responses = self.report("/calendar.ics/",
                                   self._req_with_expand(expected_uid, start, end))
+
        assert len(responses) == 1

        response_with_expand = responses[f'/calendar.ics/{expected_uid}.ics']
@ -186,6 +187,29 @@ permissions: RrWw""")
        assert len(uids) == len(expected_recurrence_ids)
        assert len(set(recurrence_ids)) == len(expected_recurrence_ids)

+    def _test_expand_max(self,
+                         expected_uid: str,
+                         start: str,
+                         end: str,
+                         check: Optional[int] = None) -> None:
+        _, responses = self.report("/calendar.ics/",
+                                   self._req_without_expand(expected_uid, start, end))
+        assert len(responses) == 1
+        response_without_expand = responses[f'/calendar.ics/{expected_uid}.ics']
+        assert not isinstance(response_without_expand, int)
+        status, element = response_without_expand["C:calendar-data"]
+
+        assert status == 200 and element.text
+
+        assert "RRULE" in element.text
+
+        status, headers, answer = self.request(
+            "REPORT", "/calendar.ics/",
+            self._req_with_expand(expected_uid, start, end),
+            check=check)
+
+        assert status == 400
+
    def test_report_with_expand_property(self) -> None:
        """Test report with expand property"""
        self._test_expand(
@ -298,3 +322,13 @@ permissions: RrWw""")
            CONTAINS_TIMES,
            1
        )
+
+    def test_report_with_expand_property_max_occur(self) -> None:
+        """Test report with expand property too many vevents"""
+        self.configure({"reporting": {"max_freebusy_occurrence": 100}})
+        self._test_expand_max(
+            "event_daily_rrule_forever",
+            "20060103T000000Z",
+            "20060501T000000Z",
+            check=400
+        )