fix: enforce 65k character limit for setting values (#3162)

* Enforce 65k limit when attempting to store setting values. * Add space for style. * Move setting validation into Saving event listener. * Use consistent var names * remove extra space * Move settings validation into separate class. * Remove unused class. * Remove extra line. * Move ValidateCustomLess to SettingsServiceProvider. Use existing convention for validator. * Update src/Settings/SettingsValidator.php Co-authored-by: Alexander Skvortsov <38059171+askvortsov1@users.noreply.github.com> * Revert moving of ValidateCustomLess logic. Allow for attribute specific setting validation rules. * Style fixes. * Style fixes. * Style fixes. Co-authored-by: Alexander Skvortsov <38059171+askvortsov1@users.noreply.github.com>
2024-11-25 09:41:49 +08:00 · 2021-11-12 10:43:57 -08:00 · 2021-11-12 10:43:57 -08:00 · c67761c470
commit c67761c470
parent 196eae74d2
2 changed files with 73 additions and 0 deletions
--- a/framework/core/src/Settings/SettingsServiceProvider.php
+++ b/framework/core/src/Settings/SettingsServiceProvider.php
@ -10,7 +10,9 @@
 namespace Flarum\Settings;

 use Flarum\Foundation\AbstractServiceProvider;
+use Flarum\Settings\Event\Saving;
 use Illuminate\Contracts\Container\Container;
+use Illuminate\Contracts\Events\Dispatcher;
 use Illuminate\Database\ConnectionInterface;
 use Illuminate\Support\Collection;

@ -41,4 +43,14 @@ class SettingsServiceProvider extends AbstractServiceProvider

        $this->container->alias(SettingsRepositoryInterface::class, 'flarum.settings');
    }
+
+    public function boot(Dispatcher $events, SettingsValidator $settingsValidator)
+    {
+        $events->listen(
+            Saving::class,
+            function (Saving $event) use ($settingsValidator) {
+                $settingsValidator->assertValid($event->settings);
+            }
+        );
+    }
 }
--- a/framework/core/src/Settings/SettingsValidator.php
+++ b/framework/core/src/Settings/SettingsValidator.php
@ -0,0 +1,61 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\Settings;
+
+use Flarum\Foundation\AbstractValidator;
+
+class SettingsValidator extends AbstractValidator
+{
+    /**
+     * @var array
+     */
+    protected $rules = [];
+
+    /**
+     * These rules apply to all attributes.
+     *
+     * Entries in the default DB settings table are limited to 65,000
+     * characters. We validate against this to avoid confusing errors.
+     *
+     * @var array
+     */
+    protected $globalRules = [
+        'max:65000',
+    ];
+
+    /**
+     * Make a new validator instance for this model.
+     *
+     * @param array $attributes
+     * @return \Illuminate\Validation\Validator
+     */
+    protected function makeValidator(array $attributes)
+    {
+        // Apply global rules first.
+        $rules = array_map(function () {
+            return $this->globalRules;
+        }, $attributes);
+
+        // Apply attribute specific rules.
+        foreach ($rules as $key => $value) {
+            if (array_key_exists($key, $this->rules)) {
+                $rules[$key] = array_merge($rules[$key], $this->rules[$key]);
+            }
+        }
+
+        $validator = $this->validator->make($attributes, $rules, $this->getMessages());
+
+        foreach ($this->configuration as $callable) {
+            $callable($this, $validator);
+        }
+
+        return $validator;
+    }
+}