SECURITY: Check the length of raw post body (#19733)

Co-authored-by: Jarek Radosz <jradosz@gmail.com>

lib/validators/stripped_length_validator.rb

@@ -2,12 +2,16 @@
 
 class StrippedLengthValidator < ActiveModel::EachValidator
   def self.validate(record, attribute, value, range)
-    if !value.nil?
-      value = get_sanitized_value(value)
-      record.errors.add attribute, (I18n.t('errors.messages.too_short', count: range.begin)) if value.length < range.begin
-      record.errors.add attribute, (I18n.t('errors.messages.too_long_validation', max: range.end, length: value.length)) if value.length > range.end
+    if value.nil?
+      record.errors.add attribute, I18n.t('errors.messages.blank')
+    elsif value.length > range.end
+      record.errors.add attribute, I18n.t('errors.messages.too_long_validation', max: range.end, length: value.length)
     else
-      record.errors.add attribute, (I18n.t('errors.messages.blank'))
+      value = get_sanitized_value(value)
+
+      if value.length < range.begin
+        record.errors.add attribute, I18n.t('errors.messages.too_short', count: range.begin)
+      end
     end
   end
 

spec/requests/posts_controller_spec.rb

@@ -1050,6 +1050,20 @@ RSpec.describe PostsController do
           parsed = response.parsed_body
           expect(parsed["action"]).not_to eq("enqueued")
         end
+
+        it "doesn't enqueue replies when the post is too long (including a html comment)" do
+          SiteSetting.max_post_length = 10
+          raw = "A post <!-- " + ("a" * 3000) + "-->"
+
+          post "/posts.json", params: {
+            raw: raw,
+            title: "this is the test title for the topic"
+          }
+
+          expect(response).not_to be_successful
+          parsed = response.parsed_body
+          expect(parsed["action"]).not_to eq("enqueued")
+        end
       end
 
       it 'silences correctly based on auto_silence_first_post_regex' do