From ec534da93dff34ac3a02d96042d1a3498a288e3f Mon Sep 17 00:00:00 2001
From: M Ember Mou <mmou@keyba.se>
Date: Thu, 9 Apr 2020 10:37:19 -0700
Subject: [PATCH] add max length check to vouch text (#178)

* add maxLength string check

* address pr comments
---
 lib/schema3.js      | 19 ++++++++++++++-----
 lib/wot.js          |  8 ++++++--
 src/schema3.iced    |  8 ++++++--
 src/wot.iced        |  4 ++--
 test/files/wot.iced | 31 +++++++++++++++++++++++++++++++
 5 files changed, 59 insertions(+), 11 deletions(-)

diff --git a/lib/schema3.js b/lib/schema3.js
index 0a3c88b..6c412e4 100644
--- a/lib/schema3.js
+++ b/lib/schema3.js
@@ -415,16 +415,23 @@
   String = (function(_super) {
     __extends(String, _super);
 
-    function String() {
-      return String.__super__.constructor.apply(this, arguments);
+    function String(_arg) {
+      var args;
+      args = _arg.args;
+      this._args = args;
     }
 
     String.prototype._check = function(_arg) {
-      var obj, path;
+      var max_length, obj, path, _ref;
       path = _arg.path, obj = _arg.obj;
       if (typeof obj !== 'string' || obj.length === 0) {
         return mkerr(path, "value must be a string");
       }
+      if ((max_length = (_ref = this._args) != null ? _ref.max_length : void 0) != null) {
+        if (obj.length > max_length) {
+          return mkerr(path, "value length needs to be < " + max_length);
+        }
+      }
       return null;
     };
 
@@ -655,8 +662,10 @@
     return new LinkType({});
   };
 
-  exports.string = function() {
-    return new String({});
+  exports.string = function(args) {
+    return new String({
+      args: args
+    });
   };
 
   exports.value = function(v) {
diff --git a/lib/wot.js b/lib/wot.js
index cc41637..b609225 100644
--- a/lib/wot.js
+++ b/lib/wot.js
@@ -79,10 +79,14 @@
         confidence: schema.dict({
           username_verified_via: schema.string_enum(["in_person", "proofs", "video", "audio", "other_chat", "familiar", "other"]).optional(),
           proofs: schema.array(proof_schema).optional(),
-          other: schema.string().optional()
+          other: schema.string({
+            max_length: 90
+          }).optional()
         }),
         failing_proofs: schema.array(proof_schema).optional(),
-        vouch_text: schema.string()
+        vouch_text: schema.string({
+          max_length: 700
+        })
       });
       err = schm.check(obj);
       return cb(err);
diff --git a/src/schema3.iced b/src/schema3.iced
index 3af93db..fa59fe3 100644
--- a/src/schema3.iced
+++ b/src/schema3.iced
@@ -165,8 +165,13 @@ class ChainType extends Node
     return null
 
 class String extends Node
+  constructor : ({args}) ->
+    @_args = args
+
   _check : ({path, obj}) ->
     if typeof(obj) isnt 'string' or obj.length is 0 then return mkerr path, "value must be a string"
+    if (max_length = @_args?.max_length)?
+      if obj.length > max_length then return mkerr path, "value length needs to be < #{max_length}"
     return null
 
 class StringEnum extends Node
@@ -179,7 +184,6 @@ class StringEnum extends Node
     if not @_values[obj] then return mkerr path, "unknown enum value (#{obj})"
     return null
 
-
 class Value extends Node
   constructor : (@_value) ->
   _check : ({path, obj}) ->
@@ -227,7 +231,7 @@ exports.time = () -> new Time {}
 exports.int = () -> new Int {}
 exports.chain_type = () -> new ChainType {}
 exports.link_type = () -> new LinkType {}
-exports.string = () -> new String {}
+exports.string = (args)-> new String { args: args }
 exports.value = (v) -> new Value v
 exports.bool = () -> new Bool {}
 exports.struct = (s) -> new Struct {slots : s}
diff --git a/src/wot.iced b/src/wot.iced
index 8d22a38..dfcfdcd 100644
--- a/src/wot.iced
+++ b/src/wot.iced
@@ -59,10 +59,10 @@ exports.Vouch = class Vouch extends Base
       confidence : schema.dict({
         username_verified_via : schema.string_enum(["in_person", "proofs", "video", "audio", "other_chat", "familiar", "other"]).optional()
         proofs: schema.array(proof_schema).optional()
-        other : schema.string().optional()
+        other : schema.string({max_length: 90}).optional()
       })
       failing_proofs : schema.array(proof_schema).optional()
-      vouch_text : schema.string()
+      vouch_text : schema.string({max_length: 700})
     })
     err = schm.check(obj)
     cb err
diff --git a/test/files/wot.iced b/test/files/wot.iced
index ab0b1f5..8334cdd 100644
--- a/test/files/wot.iced
+++ b/test/files/wot.iced
@@ -67,3 +67,34 @@ exports.wot_vouch_happy = (T,cb) ->
   T.equal outer[4], constants.sig_types_v2.wot.vouch_with_revoke, "revoke picked up"
 
   cb null
+
+exports.wot_vouch_bad = (T,cb) ->
+  esc = make_esc cb
+  await new_km_and_sig_arg {}, esc defer me
+  await new_km_and_sig_arg {}, esc defer them
+  me.wot =
+    vouch :
+      user :
+        username : them.user.local.username
+        uid : them.user.local.uid
+        eldest:
+          kid : them.sig_eng.km.key.ekid().toString('hex')
+          seqno : 1
+        seq_tail :
+          seqno : 20
+          sig_id : new_sig_id()
+          payload_hash : new_payload_hash()
+      confidence :
+        username_verified_via : "audio"
+        other : "this string is longer than 90 char this string is longer than 90 char this string is longer than 90 char this string is longer than 90 char"
+      vouch_text : "darn rootin tootin"
+  obj = new wot.Vouch me
+  await obj.generate_v2 esc(defer(out)), {dohash:true}
+
+  verifier = alloc out.inner.obj.body.type, me
+  varg = { armored : out.armored, skip_ids : true, make_ids : true, inner : out.inner.str, expansions : out.expansions, require_packet_hash :true}
+  await verifier.verify_v2 varg, defer err
+  T.assert err?, "got an error back"
+  T.assert (err.message.indexOf(".confidence.other") >= 0), "found right error message"
+
+  cb null