github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-22 15:52:11 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
3e331b1725
discourse/spec
History
Alan Guo Xiang Tan 3e331b1725
DEV: Set a bytesize limit for ThemeSetting#json_value (#25761) 
Why this change?

Firstly, note that this is not a security commit because this feature is
still in development and should not be used anywhere.

The reason we want to set a limit here is to greatly reduce the
possibility of a DoS attack in the future via `ThemeSetting` where
someone would set an arbituary large json string in
`ThemeSetting#json_value` and causing the server to run out of resources
trying to serialize/deserialize the value.

What does this change do?

Adds an ActiveRecord validation to ensure that the bytesize of the json
string being stored is smaller than or equal to 0.5mb. We believe 0.5mb
is a decent limit for now but we can review the limit in the future if
we believe it is too small.
2024-02-21 08:09:37 +08:00
..
fabricators DEV: Automatically update groups for test users with explicit TL (#25415) 2024-01-29 17:52:02 +08:00
fixtures DEV: Refactor subclasses in ThemeSettingsManager to individual files (#25605) 2024-02-08 12:59:52 +08:00
generator DEV: Improve site setting rename generator (#25354) 2024-01-25 10:45:46 +10:00
helpers FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
import_export DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
initializers DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
integration DEV: Automatically update groups for test users with explicit TL (#25415) 2024-01-29 17:52:02 +08:00
integrity Enable Embroider/Webpack code spliting for Wizard (#24919) 2023-12-20 13:15:06 +00:00
jobs DEV: Increase default SMTP read timeout to 30s (#25763) 2024-02-21 07:13:18 +10:00
lib DEV: Support validations options for string and numeral types (#25719) 2024-02-20 09:17:27 +08:00
mailers DEV: Automatically update groups for test users with explicit TL (#25415) 2024-01-29 17:52:02 +08:00
migrations DEV: Switch over category settings to new table - Part 3 (#20657) 2023-09-12 09:51:49 +08:00
models DEV: Set a bytesize limit for ThemeSetting#json_value (#25761) 2024-02-21 08:09:37 +08:00
multisite DEV: Add S3 upload system specs using minio (#22975) 2023-08-23 11:18:33 +10:00
requests DEV: Async category search for sidebar modal (#25686) 2024-02-20 11:24:30 -06:00
script/import_scripts DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
serializers FIX: Preload parent categories for sidebar (#25726) 2024-02-16 16:39:18 +02:00
services DEV: Change min_trust_level_to_allow_profile_background to trust level setting (#25721) 2024-02-19 10:47:47 +10:00
support FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
system UX: hide the draggable icon in the sidebar form on mobile (#25738) 2024-02-21 09:16:49 +11:00
tasks DEV: Add file_size_restriction site setting type (#24704) 2023-12-13 16:22:48 -07:00
views FIX: Use subfolder-safe url for category in html view (#24595) 2023-11-28 19:08:14 +08:00
rails_helper.rb DEV: Disable BlockRequestsMiddleware before every test (#25712) 2024-02-16 07:01:36 +08:00
regenerate_swagger_docs DEV: Add API docs for uploads and API doc watcher (#15387) 2021-12-23 08:40:15 +10:00
swagger_helper.rb DEV: Bump rswag-specs from 2.11.0 to 2.13.0 (#24654) 2023-12-07 08:16:47 +08:00