From 6685f8eba938a15a7dbab76f8966157565085d4e Mon Sep 17 00:00:00 2001
From: Anna Shaleva <shaleva.ann@nspcc.ru>
Date: Wed, 21 Oct 2020 13:02:46 +0300
Subject: [PATCH] core: restrict the maximum number of requests per URL

---
 pkg/core/native/oracle.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/core/native/oracle.go b/pkg/core/native/oracle.go
index abe3b7228..dfcc47287 100644
--- a/pkg/core/native/oracle.go
+++ b/pkg/core/native/oracle.go
@@ -3,6 +3,7 @@ package native
 import (
 	"encoding/binary"
 	"errors"
+	"fmt"
 	"math/big"
 
 	"github.com/nspcc-dev/neo-go/pkg/core/dao"
@@ -42,6 +43,8 @@ const (
 	maxFilterLength   = 128
 	maxCallbackLength = 32
 	maxUserDataLength = 512
+	// maxRequestsCount is the maximum number of requests per URL
+	maxRequestsCount = 256
 
 	oracleRequestPrice = 5000_0000
 )
@@ -329,6 +332,9 @@ func (o *Oracle) PutRequestInternal(id uint64, req *state.OracleRequest, d dao.D
 	if err := o.getSerializableFromDAO(d, key, lst); err != nil && !errors.Is(err, storage.ErrKeyNotFound) {
 		return err
 	}
+	if len(*lst) >= maxRequestsCount {
+		return fmt.Errorf("there are too many pending requests for %s url", req.URL)
+	}
 	*lst = append(*lst, id)
 	si := &state.StorageItem{Value: lst.Bytes()}
 	return d.PutStorageItem(o.ContractID, key, si)