http/hsts: Add a .max_items field

daurnimator · daurnimator · commit d9f1e4935e1e · 2018-08-16T23:07:59.000+10:00
diff --git a/doc/modules/http.hsts.md b/doc/modules/http.hsts.md
@@ -7,6 +7,14 @@ Data structures useful for HSTS (HTTP Strict Transport Security)
 Creates and returns a new HSTS store.
 
 
+### `hsts_store.max_items` <!-- --> {#http.hsts.max_items}
+
+The maximum number of items allowed in the store.
+Decreasing this value will only prevent new items from being added, it will not remove old items.
+
+Defaults to infinity (any number of items is allowed).
+
+
 ### `hsts_store:clone()` <!-- --> {#http.hsts:clone}
 
 Creates and returns a copy of a store.
diff --git a/http/hsts.lua b/http/hsts.lua
@@ -8,6 +8,7 @@ local http_util = require "http.util"
 
 local store_methods = {
 	time = function() return os.time() end;
+	max_items = (1e999);
 }
 
 local store_mt = {
@@ -25,12 +26,14 @@ local function new_store()
 	return setmetatable({
 		domains = {};
 		expiry_heap = binaryheap.minUnique();
+		n_items = 0;
 	}, store_mt)
 end
 
 function store_methods:clone()
 	local r = new_store()
 	r.time = rawget(self, "time")
+	r.n_items = rawget(self, "n_items")
 	r.expiry_heap = binaryheap.minUnique()
 	for host, item in pairs(self.domains) do
 		r.domains[host] = item
@@ -63,6 +66,12 @@ function store_methods:store(host, directives)
 		local old_item = self.domains[host]
 		if old_item then
 			self.expiry_heap:remove(old_item)
+		else
+			local n_items = self.n_items
+			if n_items >= self.max_items then
+				return false
+			end
+			self.n_items = n_items + 1
 		end
 		local expires = now + max_age
 		local item = setmetatable({
@@ -81,6 +90,7 @@ function store_methods:remove(host)
 	if item then
 		self.expiry_heap:remove(item)
 		self.domains[host] = nil
+		self.n_items = self.n_items - 1
 	end
 	return true
 end
@@ -120,6 +130,7 @@ function store_methods:clean()
 	while self:clean_due() < now do
 		local item = self.expiry_heap:pop()
 		self.domains[item.host] = nil
+		self.n_items = self.n_items - 1
 	end
 	return true
 end
diff --git a/spec/hsts_spec.lua b/spec/hsts_spec.lua
@@ -107,4 +107,22 @@ describe("hsts module", function()
 		assert.falsy(s:check("example.com"))
 		assert.truthy(s:check("keep.me"))
 	end)
+	it("enforces .max_items", function()
+		local s = http_hsts.new_store()
+		s.max_items = 0
+		assert.falsy(s:store("example.com", {
+			["max-age"] = "100";
+		}))
+		s.max_items = 1
+		assert.truthy(s:store("example.com", {
+			["max-age"] = "100";
+		}))
+		assert.falsy(s:store("other.com", {
+			["max-age"] = "100";
+		}))
+		s:remove("example.com", "/", "foo")
+		assert.truthy(s:store("other.com", {
+			["max-age"] = "100";
+		}))
+	end)
 end)
