Fix potential depth leak

2026-05-23 08:58:35 +00:00 · 2026-02-04 19:22:00 +13:00 · 2026-02-04 19:22:00 +13:00 · 2c790ecd84
commit 2c790ecd84
parent 5733972218
1 changed files with 8 additions and 2 deletions
--- a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Action.php
+++ b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Action.php
@ -293,8 +293,8 @@ abstract class Action extends DatabasesAction
        array &$collectionsCache,
        Authorization $authorization,
        ?int &$operations = null,
+        int $depth = 0,
    ): bool {
-
        if ($operations !== null && $document->isEmpty()) {
            return false;
        }
@ -308,6 +308,11 @@ abstract class Action extends DatabasesAction
        $document->setAttribute('$databaseId', $database->getId());
        $document->setAttribute('$' . $this->getCollectionsEventsContext() . 'Id', $collectionId);

+        // Stop processing relationships if max depth reached
+        if ($depth >= Database::RELATION_MAX_DEPTH) {
+            return true;
+        }
+
        $relationships = $collectionsCache[$collectionId] ??= \array_filter(
            $collection->getAttribute('attributes', []),
            fn ($attr) => $attr->getAttribute('type') === Database::VAR_RELATIONSHIP
@ -354,8 +359,9 @@ abstract class Action extends DatabasesAction
                        document: $relation,
                        dbForProject: $dbForProject,
                        collectionsCache: $collectionsCache,
+                        authorization: $authorization,
                        operations: $operations,
-                        authorization: $authorization
+                        depth: $depth + 1
                    );
                }
            }