From 5b53a8e9d9b60d58bc29021e809fd2d1665ce0b3 Mon Sep 17 00:00:00 2001
From: Nicolas Chaulet <nicolas.chaulet@elastic.co>
Date: Thu, 22 Dec 2022 13:19:25 -0500
Subject: [PATCH] [Fleet] Validate pagination in fleet agents API (#148002)

---
 .../server/types/rest_spec/agent.test.ts      | 27 +++++++++++++++++
 .../fleet/server/types/rest_spec/agent.ts     | 29 +++++++++++++------
 2 files changed, 47 insertions(+), 9 deletions(-)
 create mode 100644 x-pack/plugins/fleet/server/types/rest_spec/agent.test.ts

diff --git a/x-pack/plugins/fleet/server/types/rest_spec/agent.test.ts b/x-pack/plugins/fleet/server/types/rest_spec/agent.test.ts
new file mode 100644
index 0000000000000..a978c2ffe9479
--- /dev/null
+++ b/x-pack/plugins/fleet/server/types/rest_spec/agent.test.ts
@@ -0,0 +1,27 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { GetAgentsRequestSchema } from './agent';
+
+describe('GetAgentsRequestSchema', () => {
+  it('should allow pagination with less than 10000 agents', () => {
+    expect(() =>
+      GetAgentsRequestSchema.query.validate({
+        page: 500,
+        perPage: 20,
+      })
+    ).not.toThrow();
+  });
+  it('should not allow pagination to go over 10000 agents', () => {
+    expect(() =>
+      GetAgentsRequestSchema.query.validate({
+        page: 501,
+        perPage: 20,
+      })
+    ).toThrowError(/You cannot use page and perPage page over 10000 agents/);
+  });
+});
diff --git a/x-pack/plugins/fleet/server/types/rest_spec/agent.ts b/x-pack/plugins/fleet/server/types/rest_spec/agent.ts
index 709e8e8d27159..305b6f16f90d6 100644
--- a/x-pack/plugins/fleet/server/types/rest_spec/agent.ts
+++ b/x-pack/plugins/fleet/server/types/rest_spec/agent.ts
@@ -9,18 +9,29 @@ import { schema } from '@kbn/config-schema';
 import moment from 'moment';
 import semverIsValid from 'semver/functions/valid';
 
+import { SO_SEARCH_LIMIT } from '../../constants';
+
 import { NewAgentActionSchema } from '../models';
 
 export const GetAgentsRequestSchema = {
-  query: schema.object({
-    page: schema.number({ defaultValue: 1 }),
-    perPage: schema.number({ defaultValue: 20 }),
-    kuery: schema.maybe(schema.string()),
-    showInactive: schema.boolean({ defaultValue: false }),
-    showUpgradeable: schema.boolean({ defaultValue: false }),
-    sortField: schema.maybe(schema.string()),
-    sortOrder: schema.maybe(schema.oneOf([schema.literal('asc'), schema.literal('desc')])),
-  }),
+  query: schema.object(
+    {
+      page: schema.number({ defaultValue: 1 }),
+      perPage: schema.number({ defaultValue: 20 }),
+      kuery: schema.maybe(schema.string()),
+      showInactive: schema.boolean({ defaultValue: false }),
+      showUpgradeable: schema.boolean({ defaultValue: false }),
+      sortField: schema.maybe(schema.string()),
+      sortOrder: schema.maybe(schema.oneOf([schema.literal('asc'), schema.literal('desc')])),
+    },
+    {
+      validate: (request) => {
+        if (request.page * request.perPage > SO_SEARCH_LIMIT) {
+          return `You cannot use page and perPage page over ${SO_SEARCH_LIMIT} agents`;
+        }
+      },
+    }
+  ),
 };
 
 export const GetOneAgentRequestSchema = {