From 970071a9f07964598378be835b93a5cf3126af95 Mon Sep 17 00:00:00 2001
From: silverpill <silverpill@firemail.cc>
Date: Wed, 5 Apr 2023 23:52:52 +0000
Subject: [PATCH] Validate object ID length before saving post to database

---
 CHANGELOG.md                       | 1 +
 src/activitypub/handlers/create.rs | 4 ++++
 src/validators/posts.rs            | 1 +
 3 files changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index df58e86..0b96b3a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -24,6 +24,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Fixed
 
 - Added missing `CHECK` constraints to database tables.
+- Validate object ID length before saving post to database.
 
 ## [1.19.1] - 2023-03-31
 
diff --git a/src/activitypub/handlers/create.rs b/src/activitypub/handlers/create.rs
index db7cda3..aa42d7f 100644
--- a/src/activitypub/handlers/create.rs
+++ b/src/activitypub/handlers/create.rs
@@ -54,6 +54,7 @@ use crate::validators::{
         EMOJIS_MAX_NUM,
         LINKS_MAX_NUM,
         MENTIONS_MAX_NUM,
+        OBJECT_ID_SIZE_MAX,
     },
     tags::validate_hashtag,
 };
@@ -551,6 +552,9 @@ pub async fn handle_note(
             return Err(ValidationError("unsupported object type").into());
         },
     };
+    if object.id.len() > OBJECT_ID_SIZE_MAX {
+        return Err(ValidationError("object ID is too long").into());
+    };
 
     let author_id = get_object_attributed_to(&object)?;
     let author = get_or_import_profile_by_actor_id(
diff --git a/src/validators/posts.rs b/src/validators/posts.rs
index 1e9e33c..47c4ad9 100644
--- a/src/validators/posts.rs
+++ b/src/validators/posts.rs
@@ -7,6 +7,7 @@ pub const MENTIONS_MAX_NUM: usize = 50;
 pub const LINKS_MAX_NUM: usize = 10;
 pub const EMOJIS_MAX_NUM: usize = 50;
 
+pub const OBJECT_ID_SIZE_MAX: usize = 200;
 pub const CONTENT_MAX_SIZE: usize = 100000;
 const CONTENT_ALLOWED_TAGS: [&str; 8] = [
     "a",