SECURITY: Check the length of raw post body (#19733)

Co-authored-by: Jarek Radosz <jradosz@gmail.com>
This commit is contained in:
Alan Guo Xiang Tan 2023-01-05 06:08:43 +08:00 committed by GitHub
parent 692329896a
commit bf6b08670a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 5 deletions

View File

@ -2,12 +2,16 @@
class StrippedLengthValidator < ActiveModel::EachValidator class StrippedLengthValidator < ActiveModel::EachValidator
def self.validate(record, attribute, value, range) def self.validate(record, attribute, value, range)
if !value.nil? if value.nil?
value = get_sanitized_value(value) record.errors.add attribute, I18n.t('errors.messages.blank')
record.errors.add attribute, (I18n.t('errors.messages.too_short', count: range.begin)) if value.length < range.begin elsif value.length > range.end
record.errors.add attribute, (I18n.t('errors.messages.too_long_validation', max: range.end, length: value.length)) if value.length > range.end record.errors.add attribute, I18n.t('errors.messages.too_long_validation', max: range.end, length: value.length)
else else
record.errors.add attribute, (I18n.t('errors.messages.blank')) value = get_sanitized_value(value)
if value.length < range.begin
record.errors.add attribute, I18n.t('errors.messages.too_short', count: range.begin)
end
end end
end end

View File

@ -1050,6 +1050,20 @@ RSpec.describe PostsController do
parsed = response.parsed_body parsed = response.parsed_body
expect(parsed["action"]).not_to eq("enqueued") expect(parsed["action"]).not_to eq("enqueued")
end end
it "doesn't enqueue replies when the post is too long (including a html comment)" do
SiteSetting.max_post_length = 10
raw = "A post <!-- " + ("a" * 3000) + "-->"
post "/posts.json", params: {
raw: raw,
title: "this is the test title for the topic"
}
expect(response).not_to be_successful
parsed = response.parsed_body
expect(parsed["action"]).not_to eq("enqueued")
end
end end
it 'silences correctly based on auto_silence_first_post_regex' do it 'silences correctly based on auto_silence_first_post_regex' do