fix: limit pagination to protect the node would not be Query DoS (#252)

* fix: limit pagination to protect the node would not be Query DoS

* chore: fix lint

* chore: fix testcase

types/query/pagination.go

@@ -38,7 +38,8 @@ func ParsePagination(pageReq *PageRequest) (page, limit int, err error) {
 
 	if limit < 0 {
 		return 1, 0, status.Error(codes.InvalidArgument, "limit must greater than 0")
-	} else if limit == 0 {
+	} else if limit > DefaultLimit || limit == 0 {
+		// limit to protect the node would not be Query DoS
 		limit = DefaultLimit
 	}
 
@@ -74,6 +75,9 @@ func Paginate(
 
 		// count total results when the limit is zero/not supplied
 		countTotal = true
+	} else if limit > DefaultLimit {
+		// limit to protect the node would not be Query DoS
+		limit = DefaultLimit
 	}
 
 	if len(key) != 0 {

types/query/pagination_test.go

@@ -234,11 +234,20 @@ func (s *paginationTestSuite) TestReversePagination() {
 	s.Require().NotNil(res1.Pagination.NextKey)
 
 	s.T().Log("verify paginate with custom limit and countTotal, Reverse false")
-	pageReq = &query.PageRequest{Limit: 150}
+	pageReq = &query.PageRequest{Limit: 100}
 	request = types.NewQueryAllBalancesRequest(addr1, pageReq)
 	res1, err = queryClient.AllBalances(gocontext.Background(), request)
 	s.Require().NoError(err)
-	s.Require().Equal(res1.Balances.Len(), 150)
+	s.Require().Equal(res1.Balances.Len(), 100)
+	s.Require().NotNil(res1.Pagination.NextKey)
+	s.Require().Equal(res1.Pagination.Total, uint64(0))
+
+	s.T().Log("verify paginate with custom limit and countTotal, Reverse false")
+	pageReq = &query.PageRequest{Limit: 50, Offset: 100}
+	request = types.NewQueryAllBalancesRequest(addr1, pageReq)
+	res1, err = queryClient.AllBalances(gocontext.Background(), request)
+	s.Require().NoError(err)
+	s.Require().Equal(res1.Balances.Len(), 50)
 	s.Require().NotNil(res1.Pagination.NextKey)
 	s.Require().Equal(res1.Pagination.Total, uint64(0))