Validate object ID length before saving post to database

2023-04-05 23:52:52 +00:00 · 2023-04-05 23:52:52 +00:00 · 970071a9f0
parent 20080333d0
commit 970071a9f0
3 changed files with 6 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -24,6 +24,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Fixed

 - Added missing `CHECK` constraints to database tables.
+- Validate object ID length before saving post to database.

 ## [1.19.1] - 2023-03-31

--- a/src/activitypub/handlers/create.rs
+++ b/src/activitypub/handlers/create.rs
@ -54,6 +54,7 @@ use crate::validators::{
        EMOJIS_MAX_NUM,
        LINKS_MAX_NUM,
        MENTIONS_MAX_NUM,
+        OBJECT_ID_SIZE_MAX,
    },
    tags::validate_hashtag,
 };
@ -551,6 +552,9 @@ pub async fn handle_note(
            return Err(ValidationError("unsupported object type").into());
        },
    };
+    if object.id.len() > OBJECT_ID_SIZE_MAX {
+        return Err(ValidationError("object ID is too long").into());
+    };

    let author_id = get_object_attributed_to(&object)?;
    let author = get_or_import_profile_by_actor_id(
--- a/src/validators/posts.rs
+++ b/src/validators/posts.rs
@ -7,6 +7,7 @@ pub const MENTIONS_MAX_NUM: usize = 50;
 pub const LINKS_MAX_NUM: usize = 10;
 pub const EMOJIS_MAX_NUM: usize = 50;

+pub const OBJECT_ID_SIZE_MAX: usize = 200;
 pub const CONTENT_MAX_SIZE: usize = 100000;
 const CONTENT_ALLOWED_TAGS: [&str; 8] = [
    "a",