SECURITY: Limit the character count of group membership requests (#19993)

When creating a group membership request, there is no character
limit on the 'reason' field. This can be potentially be used by
an attacker to create enormous amount of data in the database.

Co-authored-by: Ted Johansson <ted@discourse.org>
This commit is contained in:
Natalie Tay 2023-01-25 19:50:33 +08:00 committed by GitHub
parent f91ac52a22
commit d5745d34c2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 29 additions and 1 deletions

View File

@ -5,7 +5,7 @@
{{i18n "groups.membership_request.reason"}} {{i18n "groups.membership_request.reason"}}
</label> </label>
<ExpandingTextArea @value={{this.reason}} /> <ExpandingTextArea @value={{this.reason}} @maxlength="280" />
</div> </div>
</DModalBody> </DModalBody>

View File

@ -1,8 +1,12 @@
# frozen_string_literal: true # frozen_string_literal: true
class GroupRequest < ActiveRecord::Base class GroupRequest < ActiveRecord::Base
REASON_CHARACTER_LIMIT = 280
belongs_to :group belongs_to :group
belongs_to :user belongs_to :user
validates :reason, length: { maximum: REASON_CHARACTER_LIMIT }
end end
# == Schema Information # == Schema Information

View File

@ -0,0 +1,10 @@
# frozen_string_literal: true
RSpec.describe GroupRequest do
it { is_expected.to belong_to :user }
it { is_expected.to belong_to :group }
it do
is_expected.to validate_length_of(:reason).is_at_most(described_class::REASON_CHARACTER_LIMIT)
end
end

View File

@ -2198,6 +2198,20 @@ RSpec.describe GroupsController do
expect(response.status).to eq(409) expect(response.status).to eq(409)
end end
it "limits the character count of the reason" do
sign_in(user)
post "/groups/#{group.name}/request_membership.json",
params: {
reason: "x" * (GroupRequest::REASON_CHARACTER_LIMIT + 1),
}
expect(response.status).to eq(422)
expect(response.parsed_body["errors"]).to contain_exactly(
"Reason is too long (maximum is 280 characters)",
)
end
it "should create the right PM" do it "should create the right PM" do
owner1 = Fabricate(:user, last_seen_at: Time.zone.now) owner1 = Fabricate(:user, last_seen_at: Time.zone.now)
owner2 = Fabricate(:user, last_seen_at: Time.zone.now - 1.day) owner2 = Fabricate(:user, last_seen_at: Time.zone.now - 1.day)