Make it possible to disallow slow queries (or warn user about the problem)

src/app.py

@@ -326,7 +326,7 @@ def query(
         )
 
     if not rules:
-        raise HTTPException(status_code=400, detail=f"No rule was specified.")
+        raise HTTPException(status_code=400, detail="No rule was specified.")
 
     if data.method == RequestQueryMethod.parse:
         return [
@@ -335,11 +335,28 @@ def query(
                 rule_author=rule.author,
                 is_global=rule.is_global,
                 is_private=rule.is_private,
+                is_degenerate=rule.parse().is_degenerate,
                 parsed=rule.parse().query,
             )
             for rule in rules
         ]
 
+    degenerate_rules = [r.name for r in rules if r.parse().is_degenerate]
+    disallow_degenerate = db.get_mquery_config_key("query_disallow_degenerate")
+    if degenerate_rules and (disallow_degenerate == "true"):
+        degenerate_rule_names = ", ".join(degenerate_rules)
+        doc_url = "https://cert-polska.github.io/mquery/docs/yara.html"
+        raise HTTPException(
+            status_code=400,
+            detail=(
+                "Invalid query. "
+                "Some of the rules would require a Yara scan of every indexed "
+                "file, and this is not allowed by this instance. "
+                f"Problematic rules: {degenerate_rule_names}. "
+                f"Read {doc_url} for more details."
+            ),
+        )
+
     active_agents = db.get_active_agents()
 
     for agent, agent_spec in active_agents.items():

src/db.py

@@ -331,6 +331,8 @@ def get_core_config(self) -> Dict[str, str]:
             "openid_url": "OpenID Connect base url",
             "openid_client_id": "OpenID client ID",
             "openid_secret": "Secret used for JWT token verification",
+            # Query and performance config
+            "query_disallow_degenerate": "Reject any queries that will end up scanning the whole malware collection",
         }
 
     def get_config(self) -> List[ConfigSchema]:

src/mqueryfront/src/config/ConfigEntries.js

@@ -10,6 +10,7 @@ const KNOWN_RULES = {
     openid_url: R_URL,
     auth_enabled: R_BOOL,
     auth_default_roles: R_ROLES,
+    query_disallow_degenerate: R_BOOL,
 };
 
 class ConfigRow extends Component {

src/mqueryfront/src/query/QueryParseStatus.js

@@ -6,14 +6,28 @@ const QueryParseStatus = (props) => {
     if (!queryPlan) return null;
 
     const parseResult = queryPlan.map((rule) => {
-        const { is_private, is_global, rule_name, parsed } = rule;
+        const {
+            is_private,
+            is_global,
+            is_degenerate,
+            rule_name,
+            parsed,
+        } = rule;
 
-        const badge =
-            is_private || is_global ? (
-                <span className="badge badge-info">
-                    {is_private ? "private" : "global"}
-                </span>
-            ) : null;
+        const private_badge = is_private ? (
+            <span className="badge bg-info">private</span>
+        ) : null;
+        const global_badge = is_global ? (
+            <span className="badge bg-info">private</span>
+        ) : null;
+        const degenerate_badge = is_degenerate ? (
+            <span className="badge bg-danger">degenerate</span>
+        ) : null;
+        const badges = (
+            <>
+                {private_badge} {global_badge} {degenerate_badge}
+            </>
+        );
 
         return (
             <div key={rule_name} className="mt-3">
@@ -22,7 +36,7 @@ const QueryParseStatus = (props) => {
                         <span className="me-2 font-weight-bold">
                             {rule_name}
                         </span>
-                        {badge}
+                        {badges}
                     </label>
                     <div className="jumbotron text-monospace text-break p-2">
                         {parsed}

src/mqueryfront/src/status/BackendStatus.js

@@ -32,7 +32,7 @@ class AgentStatus extends Component {
         let badge = null;
         if (!this.props.alive) {
             badge = (
-                <span className="badge badge-secondary badge-sm">offline</span>
+                <span className="badge bg-secondary badge-sm">offline</span>
             );
         }
 

src/schema.py

@@ -76,6 +76,7 @@ class ParseResponseSchema(BaseModel):
     rule_author: str
     is_global: bool
     is_private: bool
+    is_degenerate: bool
     parsed: str