From 02d4b35ab10a65e8a31c9a569e9cc6a9b2df37bf Mon Sep 17 00:00:00 2001
From: Kopper <kopper@w.on-t.work>
Date: Mon, 20 Jan 2025 19:47:54 +0300
Subject: [PATCH] [backend/masto-client] Limit batch endpoints

---
 Iceshrimp.Backend/Controllers/Mastodon/AccountController.cs | 3 ++-
 Iceshrimp.Backend/Controllers/Mastodon/StatusController.cs  | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/Iceshrimp.Backend/Controllers/Mastodon/AccountController.cs b/Iceshrimp.Backend/Controllers/Mastodon/AccountController.cs
index 3f082d72..1c9edc5c 100644
--- a/Iceshrimp.Backend/Controllers/Mastodon/AccountController.cs
+++ b/Iceshrimp.Backend/Controllers/Mastodon/AccountController.cs
@@ -1,3 +1,4 @@
+using System.ComponentModel.DataAnnotations;
 using System.Diagnostics.CodeAnalysis;
 using System.Net;
 using System.Net.Mime;
@@ -171,7 +172,7 @@ public class AccountController(
 	[HttpGet]
 	[ProducesResults(HttpStatusCode.OK)]
 	[ProducesErrors(HttpStatusCode.Forbidden)]
-	public async Task<IEnumerable<AccountEntity>> GetManyUsers([FromQuery(Name = "id")] List<string> ids)
+	public async Task<IEnumerable<AccountEntity>> GetManyUsers([FromQuery(Name = "id")] [MaxLength(40)] HashSet<string> ids)
 	{
 		var localUser = HttpContext.GetUser();
 		if (config.Value.PublicPreview == Enums.PublicPreview.Lockdown && localUser == null)
diff --git a/Iceshrimp.Backend/Controllers/Mastodon/StatusController.cs b/Iceshrimp.Backend/Controllers/Mastodon/StatusController.cs
index 2440883b..4d63dc34 100644
--- a/Iceshrimp.Backend/Controllers/Mastodon/StatusController.cs
+++ b/Iceshrimp.Backend/Controllers/Mastodon/StatusController.cs
@@ -1,3 +1,4 @@
+using System.ComponentModel.DataAnnotations;
 using System.Net;
 using System.Net.Mime;
 using AsyncKeyedLock;
@@ -75,7 +76,7 @@ public class StatusController(
 	[Authenticate("read:statuses")]
 	[ProducesResults(HttpStatusCode.OK)]
 	[ProducesErrors(HttpStatusCode.Forbidden)]
-	public async Task<IEnumerable<StatusEntity>> GetManyNotes([FromQuery(Name = "id")] List<string> ids)
+	public async Task<IEnumerable<StatusEntity>> GetManyNotes([FromQuery(Name = "id")] [MaxLength(20)] HashSet<string> ids)
 	{
 		var user = HttpContext.GetUser();
 		if (security.Value.PublicPreview == Enums.PublicPreview.Lockdown && user == null)