From 5993c647a56ae9229f6ffe4ba26154700f599a51 Mon Sep 17 00:00:00 2001
From: Garrett Grimm <grimmdude@gmail.com>
Date: Fri, 12 Nov 2021 10:43:57 -0800
Subject: [PATCH] fix: enforce 65k character limit for setting values (#3162)

* Enforce 65k limit when attempting to store setting values.

* Add space for style.

* Move setting validation into Saving event listener.

* Use consistent var names

* remove extra space

* Move settings validation into separate class.

* Remove unused class.

* Remove extra line.

* Move ValidateCustomLess to SettingsServiceProvider.  Use existing convention for validator.

* Update src/Settings/SettingsValidator.php

Co-authored-by: Alexander Skvortsov <38059171+askvortsov1@users.noreply.github.com>

* Revert moving of ValidateCustomLess logic.  Allow for attribute specific setting validation rules.

* Style fixes.

* Style fixes.

* Style fixes.

Co-authored-by: Alexander Skvortsov <38059171+askvortsov1@users.noreply.github.com>
---
 src/Settings/SettingsServiceProvider.php | 12 +++++
 src/Settings/SettingsValidator.php       | 61 ++++++++++++++++++++++++
 2 files changed, 73 insertions(+)
 create mode 100644 src/Settings/SettingsValidator.php

diff --git a/src/Settings/SettingsServiceProvider.php b/src/Settings/SettingsServiceProvider.php
index 4f12a8b15..942d842c9 100644
--- a/src/Settings/SettingsServiceProvider.php
+++ b/src/Settings/SettingsServiceProvider.php
@@ -10,7 +10,9 @@
 namespace Flarum\Settings;
 
 use Flarum\Foundation\AbstractServiceProvider;
+use Flarum\Settings\Event\Saving;
 use Illuminate\Contracts\Container\Container;
+use Illuminate\Contracts\Events\Dispatcher;
 use Illuminate\Database\ConnectionInterface;
 use Illuminate\Support\Collection;
 
@@ -41,4 +43,14 @@ class SettingsServiceProvider extends AbstractServiceProvider
 
         $this->container->alias(SettingsRepositoryInterface::class, 'flarum.settings');
     }
+
+    public function boot(Dispatcher $events, SettingsValidator $settingsValidator)
+    {
+        $events->listen(
+            Saving::class,
+            function (Saving $event) use ($settingsValidator) {
+                $settingsValidator->assertValid($event->settings);
+            }
+        );
+    }
 }
diff --git a/src/Settings/SettingsValidator.php b/src/Settings/SettingsValidator.php
new file mode 100644
index 000000000..cf73aa5be
--- /dev/null
+++ b/src/Settings/SettingsValidator.php
@@ -0,0 +1,61 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\Settings;
+
+use Flarum\Foundation\AbstractValidator;
+
+class SettingsValidator extends AbstractValidator
+{
+    /**
+     * @var array
+     */
+    protected $rules = [];
+
+    /**
+     * These rules apply to all attributes.
+     *
+     * Entries in the default DB settings table are limited to 65,000
+     * characters. We validate against this to avoid confusing errors.
+     *
+     * @var array
+     */
+    protected $globalRules = [
+        'max:65000',
+    ];
+
+    /**
+     * Make a new validator instance for this model.
+     *
+     * @param array $attributes
+     * @return \Illuminate\Validation\Validator
+     */
+    protected function makeValidator(array $attributes)
+    {
+        // Apply global rules first.
+        $rules = array_map(function () {
+            return $this->globalRules;
+        }, $attributes);
+
+        // Apply attribute specific rules.
+        foreach ($rules as $key => $value) {
+            if (array_key_exists($key, $this->rules)) {
+                $rules[$key] = array_merge($rules[$key], $this->rules[$key]);
+            }
+        }
+
+        $validator = $this->validator->make($attributes, $rules, $this->getMessages());
+
+        foreach ($this->configuration as $callable) {
+            $callable($this, $validator);
+        }
+
+        return $validator;
+    }
+}