From 69800fbc895cf5f67c405414596e6317000ab15c Mon Sep 17 00:00:00 2001
From: Logan Williams <logan@bellingcat.com>
Date: Fri, 20 Jan 2023 16:10:39 +0100
Subject: [PATCH] Add backend size limits on query area/execution time

---
 api/api.py                  | 16 +++++++++++++++-
 frontend/public/index.html  |  1 +
 frontend/src/store/index.js | 26 ++++++++++++++++++++------
 3 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/api/api.py b/api/api.py
index b0694e4..ac4ece6 100644
--- a/api/api.py
+++ b/api/api.py
@@ -10,6 +10,7 @@ from functools import wraps
 import os
 from loguru import logger
 from datetime import datetime
+import math
 
 GOOGLE_CLIENT_ID = os.environ.get("GOOGLE_CLIENT_ID", None)
 
@@ -28,8 +29,15 @@ def json_query(query, conn=None):
 
     cur = conn.cursor(cursor_factory=RealDictCursor)
 
+    cur.execute("SET SESSION statement_timeout = '120s';")
+
     t1 = datetime.now()
-    cur.execute(query)
+    try:
+        cur.execute(query)
+    except psycopg2.errors.QueryCanceled:
+        logger.warning("Request timed out")
+        return Response(status=400)
+
     data = cur.fetchall()
     cur.close()
     conn.close()
@@ -98,7 +106,13 @@ def get_intersection():
     t = float(args.get("t"))
 
     bbox = [l, b, r, t]
+
+    area = math.pow(6371,2) * math.pi * abs(math.sin(math.radians(t)) - math.sin(math.radians(b))) * abs(r - l) / 180
     
+    # reject queries that are too large
+    if area > 4e6:
+        return Response(status=400)
+
     bbox_filter = sql.SQL("AND way && ST_Transform(ST_MakeEnvelope({left}, {bottom}, {right}, {top}, 4326), 3857)").format(left=sql.Literal(bbox[0]), bottom=sql.Literal(bbox[1]), right=sql.Literal(bbox[2]), top=sql.Literal(bbox[3]))
 
     first = filters[0]
diff --git a/frontend/public/index.html b/frontend/public/index.html
index 66c2494..b005db8 100644
--- a/frontend/public/index.html
+++ b/frontend/public/index.html
@@ -8,6 +8,7 @@
     <title>Bellingcat OpenStreetMap search</title>
     <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:100,300,400,500,700,900">
     <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@mdi/font@latest/css/materialdesignicons.min.css">
+    <script defer data-domain="osm.baarle-hertog.xyz" src="https://plausible.io/js/script.js"></script>
   </head>
   <body>
     <noscript>
diff --git a/frontend/src/store/index.js b/frontend/src/store/index.js
index 88a87df..16d837f 100644
--- a/frontend/src/store/index.js
+++ b/frontend/src/store/index.js
@@ -101,7 +101,12 @@ export default new Vuex.Store({
           },
         }
       )
-        .then((d) => d.json())
+        .then((d) => {
+          if (d.status != 200) {
+            return Promise.reject(Error(d.status));
+          }
+          return d.json();
+        })
         .then((data) => {
           let time2 = performance.now();
           commit("setResponseTime", time2 - time1);
@@ -109,12 +114,21 @@ export default new Vuex.Store({
           commit("setLoading", false);
           commit("setError", false);
         })
-        .catch(() => {
+        .catch((e) => {
           commit("setLoading", false);
-          commit(
-            "setError",
-            "Search error. Check your custom features or email logan@bellingcat.com."
-          );
+          if (e.message == 400) {
+            commit("setLoading", false);
+            commit(
+              "setError",
+              "Your search area is too large, or your search timed out. Zoom in on a smaller area or change your search parameters. Adding a point feature (green) will increase speed."
+            );
+          } else {
+            commit("setLoading", false);
+            commit(
+              "setError",
+              "Search error. Check your custom features or email logan@bellingcat.com."
+            );
+          }
         });
     },
   },