SECURITY: Limit length of edit reason column

2023-07-28 12:53:49 +01:00 · 2023-07-28 12:53:49 +01:00 · dcc825bda5
parent 62a609ea2d
commit dcc825bda5
2 changed files with 2 additions and 0 deletions
--- a/app/models/post.rb
+++ b/app/models/post.rb
@ -64,6 +64,7 @@ class Post < ActiveRecord::Base
  has_many :reviewables, as: :target, dependent: :destroy

  validates_with PostValidator, unless: :skip_validation
+  validates :edit_reason, length: { maximum: 1000 }

  after_commit :index_search

--- a/spec/models/post_spec.rb
+++ b/spec/models/post_spec.rb
@ -61,6 +61,7 @@ RSpec.describe Post do
  end

  it { is_expected.to validate_presence_of :raw }
+  it { is_expected.to validate_length_of(:edit_reason).is_at_most(1000) }

  # Min/max body lengths, respecting padding
  it { is_expected.not_to allow_value("x").for(:raw) }