github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-26 04:23:37 +08:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
e9a8c059ec
discourse/spec
History
Daniel Waterworth e9a8c059ec
SECURITY: Prevent large staff actions causing DoS 
This commit operates at three levels of abstraction:

 1. We want to prevent user history rows from being unbounded in size.
    This commit adds rails validations to limit the sizes of columns on
    user_histories,

 2. However, we don't want to prevent certain actions from being
    completed if these columns are too long. In those cases, we truncate
    the values that are given and store the truncated versions,

 3. For endpoints that perform staff actions, we can further control
    what is permitted by explicitly validating the params that are given
    before attempting the action,
2024-03-15 14:37:15 +08:00
..
fabricators DEV: Automatically update groups for test users with explicit TL (#25415) 2024-01-29 17:52:02 +08:00
fixtures DEV: Improve site setting rename generator (#25354) 2024-01-25 10:45:46 +10:00
generator DEV: Improve site setting rename generator (#25354) 2024-01-25 10:45:46 +10:00
helpers FEATURE: Add support for custom site name in Open Graph metadata (#25373) 2024-01-22 13:57:52 -04:00
import_export DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
initializers DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
integration DEV: Automatically update groups for test users with explicit TL (#25415) 2024-01-29 17:52:02 +08:00
integrity Enable Embroider/Webpack code spliting for Wizard (#24919) 2023-12-20 13:15:06 +00:00
jobs FIX: export csv file failed message (#25443) 2024-01-26 11:16:02 -07:00
lib FIX: Webauthn origin was incorrect for subfolder setups (#25651) (#25654) 2024-02-13 08:37:51 -05:00
mailers DEV: Automatically update groups for test users with explicit TL (#25415) 2024-01-29 17:52:02 +08:00
migrations DEV: Switch over category settings to new table - Part 3 (#20657) 2023-09-12 09:51:49 +08:00
models SECURITY: Don't disclose the existence of secret subcategories 2024-03-15 14:37:11 +08:00
multisite DEV: Add S3 upload system specs using minio (#22975) 2023-08-23 11:18:33 +10:00
requests SECURITY: Prevent large staff actions causing DoS 2024-03-15 14:37:15 +08:00
script/import_scripts DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
serializers DEV: Remove full group refreshes from tests (#25414) 2024-01-25 14:28:26 +08:00
services SECURITY: Prevent large staff actions causing DoS 2024-03-15 14:37:15 +08:00
support DEV: Remove full group refreshes from tests (#25414) 2024-01-25 14:28:26 +08:00
system FEATURE: Auto generate and display video preview image (#25633) 2024-03-06 14:36:50 -07:00
tasks DEV: Add file_size_restriction site setting type (#24704) 2023-12-13 16:22:48 -07:00
views FIX: Use subfolder-safe url for category in html view (#24595) 2023-11-28 19:08:14 +08:00
rails_helper.rb DEV: Add early support for aarch64 dev env 2024-01-30 15:50:44 +01:00
regenerate_swagger_docs DEV: Add API docs for uploads and API doc watcher (#15387) 2021-12-23 08:40:15 +10:00
swagger_helper.rb DEV: Bump rswag-specs from 2.11.0 to 2.13.0 (#24654) 2023-12-07 08:16:47 +08:00