From 2c790ecd84ad8e64c13ae04b1f22bc391799a96b Mon Sep 17 00:00:00 2001 From: Jake Barnby Date: Wed, 4 Feb 2026 19:22:00 +1300 Subject: [PATCH] Fix potential depth leak --- .../Http/Databases/Collections/Documents/Action.php | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Action.php b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Action.php index 3159eed5e3..39146508fb 100644 --- a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Action.php +++ b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Action.php @@ -293,8 +293,8 @@ abstract class Action extends DatabasesAction array &$collectionsCache, Authorization $authorization, ?int &$operations = null, + int $depth = 0, ): bool { - if ($operations !== null && $document->isEmpty()) { return false; } @@ -308,6 +308,11 @@ abstract class Action extends DatabasesAction $document->setAttribute('$databaseId', $database->getId()); $document->setAttribute('$' . $this->getCollectionsEventsContext() . 'Id', $collectionId); + // Stop processing relationships if max depth reached + if ($depth >= Database::RELATION_MAX_DEPTH) { + return true; + } + $relationships = $collectionsCache[$collectionId] ??= \array_filter( $collection->getAttribute('attributes', []), fn ($attr) => $attr->getAttribute('type') === Database::VAR_RELATIONSHIP @@ -354,8 +359,9 @@ abstract class Action extends DatabasesAction document: $relation, dbForProject: $dbForProject, collectionsCache: $collectionsCache, + authorization: $authorization, operations: $operations, - authorization: $authorization + depth: $depth + 1 ); } }