SECURITY: Check the length of raw post body (#19734)

Co-authored-by: Jarek Radosz <jradosz@gmail.com>
This commit is contained in:
Alan Guo Xiang Tan 2023-01-05 08:51:21 +08:00 committed by GitHub
parent 66ab2d71ff
commit b9e2e997f4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 5 deletions

View File

@ -2,12 +2,16 @@
class StrippedLengthValidator < ActiveModel::EachValidator
def self.validate(record, attribute, value, range)
if !value.nil?
value = get_sanitized_value(value)
record.errors.add attribute, (I18n.t('errors.messages.too_short', count: range.begin)) if value.length < range.begin
record.errors.add attribute, (I18n.t('errors.messages.too_long_validation', max: range.end, length: value.length)) if value.length > range.end
if value.nil?
record.errors.add attribute, I18n.t('errors.messages.blank')
elsif value.length > range.end
record.errors.add attribute, I18n.t('errors.messages.too_long_validation', max: range.end, length: value.length)
else
record.errors.add attribute, (I18n.t('errors.messages.blank'))
value = get_sanitized_value(value)
if value.length < range.begin
record.errors.add attribute, I18n.t('errors.messages.too_short', count: range.begin)
end
end
end

View File

@ -975,6 +975,20 @@ describe PostsController do
parsed = response.parsed_body
expect(parsed["action"]).not_to eq("enqueued")
end
it "doesn't enqueue replies when the post is too long (including a html comment)" do
SiteSetting.max_post_length = 10
raw = "A post <!-- " + ("a" * 3000) + "-->"
post "/posts.json", params: {
raw: raw,
title: "this is the test title for the topic"
}
expect(response).not_to be_successful
parsed = response.parsed_body
expect(parsed["action"]).not_to eq("enqueued")
end
end
it 'silences correctly based on auto_silence_first_post_regex' do