Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Check the length of raw post body (#19733)
Co-authored-by: Jarek Radosz <jradosz@gmail.com>
  • Loading branch information
tgxworld and CvX committed Jan 4, 2023
1 parent 6923298 commit bf6b086
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 5 deletions.
14 changes: 9 additions & 5 deletions lib/validators/stripped_length_validator.rb
Expand Up @@ -2,12 +2,16 @@

class StrippedLengthValidator < ActiveModel::EachValidator
def self.validate(record, attribute, value, range)
if !value.nil?
value = get_sanitized_value(value)
record.errors.add attribute, (I18n.t('errors.messages.too_short', count: range.begin)) if value.length < range.begin
record.errors.add attribute, (I18n.t('errors.messages.too_long_validation', max: range.end, length: value.length)) if value.length > range.end
if value.nil?
record.errors.add attribute, I18n.t('errors.messages.blank')
elsif value.length > range.end
record.errors.add attribute, I18n.t('errors.messages.too_long_validation', max: range.end, length: value.length)
else
record.errors.add attribute, (I18n.t('errors.messages.blank'))
value = get_sanitized_value(value)

if value.length < range.begin
record.errors.add attribute, I18n.t('errors.messages.too_short', count: range.begin)
end
end
end

Expand Down
14 changes: 14 additions & 0 deletions spec/requests/posts_controller_spec.rb
Expand Up @@ -1050,6 +1050,20 @@
parsed = response.parsed_body
expect(parsed["action"]).not_to eq("enqueued")
end

it "doesn't enqueue replies when the post is too long (including a html comment)" do
SiteSetting.max_post_length = 10
raw = "A post <!-- " + ("a" * 3000) + "-->"

post "/posts.json", params: {
raw: raw,
title: "this is the test title for the topic"
}

expect(response).not_to be_successful
parsed = response.parsed_body
expect(parsed["action"]).not_to eq("enqueued")
end
end

it 'silences correctly based on auto_silence_first_post_regex' do
Expand Down

0 comments on commit bf6b086

Please sign in to comment.