Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Limit user profile field length (#18302)
Adds limits to location and website fields at model and DB level
to match the bio_raw field limits. A limit cannot be added at the
DB level for bio_raw because it is a postgres text field.

Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
  • Loading branch information
martin-brennan and tgxworld committed Sep 21, 2022
1 parent b98cd73 commit e69f7d2
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 4 deletions.
8 changes: 4 additions & 4 deletions app/models/user_profile.rb
Expand Up @@ -13,9 +13,9 @@ class UserProfile < ActiveRecord::Base
has_many :user_profile_views, dependent: :destroy

validates :bio_raw, length: { maximum: 3000 }, watched_words: true
validates :website, url: true, allow_blank: true, if: :validate_website?
validates :website, url: true, length: { maximum: 3000 }, allow_blank: true, if: :validate_website?
validates :location, length: { maximum: 3000 }, watched_words: true
validates :user, presence: true
validates :location, watched_words: true

validate :website_domain_validator, if: :validate_website?

Expand Down Expand Up @@ -188,8 +188,8 @@ def validate_website?
# Table name: user_profiles
#
# user_id :integer not null, primary key
# location :string
# website :string
# location :string(3000)
# website :string(3000)
# bio_raw :text
# bio_cooked :text
# dismissed_banner_key :integer
Expand Down
11 changes: 11 additions & 0 deletions db/migrate/20220920044310_enforce_user_profile_max_limits.rb
@@ -0,0 +1,11 @@
# frozen_string_literal: true

class EnforceUserProfileMaxLimits < ActiveRecord::Migration[7.0]
def change
execute "UPDATE user_profiles SET location = LEFT(location, 3000) WHERE location IS NOT NULL"
execute "UPDATE user_profiles SET website = LEFT(website, 3000) WHERE website IS NOT NULL"

change_column :user_profiles, :location, :string, limit: 3000
change_column :user_profiles, :website, :string, limit: 3000
end
end
23 changes: 23 additions & 0 deletions spec/models/user_profile_spec.rb
Expand Up @@ -42,6 +42,15 @@
end
end

context "when it is > 3000 characters" do
before { profile.location = "a" * 3500 }

it "is not valid" do
expect(profile.valid?).to eq(false)
expect(profile.errors.full_messages).to include(/Location is too long \(maximum is 3000 characters\)/)
end
end

context "when it does not contain watched words" do
it { is_expected.to be_valid }
end
Expand All @@ -63,6 +72,15 @@
end
end

context "when it is > 3000 characters" do
before { profile.bio_raw = "a" * 3500 }

it "is not valid" do
expect(profile.valid?).to eq(false)
expect(profile.errors.full_messages).to include(/About Me is too long \(maximum is 3000 characters\)/)
end
end

context "when it does not contain watched words" do
it { is_expected.to be_valid }
end
Expand Down Expand Up @@ -129,6 +147,11 @@
user_profile.website = 'user - https://forum.example.com/user'
expect { user_profile.save! }.to raise_error(ActiveRecord::RecordInvalid)
end

it "does not allow > 3000 characters" do
user_profile.website = "a" * 3500
expect(user_profile).to_not be_valid
end
end

describe 'after save' do
Expand Down

0 comments on commit e69f7d2

Please sign in to comment.