SECURITY: Limit the character count of group membership requests (#19993)

When creating a group membership request, there is no character
limit on the 'reason' field. This can be potentially be used by
an attacker to create enormous amount of data in the database.

Co-authored-by: Ted Johansson <ted@discourse.org>

app/assets/javascripts/discourse/app/templates/modal/request-group-membership-form.hbs

@@ -5,7 +5,7 @@
         {{i18n "groups.membership_request.reason"}}
       </label>
 
-      <ExpandingTextArea @value={{this.reason}} />
+      <ExpandingTextArea @value={{this.reason}} @maxlength="280" />
     </div>
   </DModalBody>
 

app/models/group_request.rb

@@ -1,8 +1,12 @@
 # frozen_string_literal: true
 
 class GroupRequest < ActiveRecord::Base
+  REASON_CHARACTER_LIMIT = 280
+
   belongs_to :group
   belongs_to :user
+
+  validates :reason, length: { maximum: REASON_CHARACTER_LIMIT }
 end
 
 # == Schema Information

spec/models/group_request_spec.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+RSpec.describe GroupRequest do
+  it { is_expected.to belong_to :user }
+  it { is_expected.to belong_to :group }
+
+  it do
+    is_expected.to validate_length_of(:reason).is_at_most(described_class::REASON_CHARACTER_LIMIT)
+  end
+end

spec/requests/groups_controller_spec.rb

@@ -2198,6 +2198,20 @@ RSpec.describe GroupsController do
       expect(response.status).to eq(409)
     end
 
+    it "limits the character count of the reason" do
+      sign_in(user)
+
+      post "/groups/#{group.name}/request_membership.json",
+           params: {
+             reason: "x" * (GroupRequest::REASON_CHARACTER_LIMIT + 1),
+           }
+
+      expect(response.status).to eq(422)
+      expect(response.parsed_body["errors"]).to contain_exactly(
+        "Reason is too long (maximum is 280 characters)",
+      )
+    end
+
     it "should create the right PM" do
       owner1 = Fabricate(:user, last_seen_at: Time.zone.now)
       owner2 = Fabricate(:user, last_seen_at: Time.zone.now - 1.day)