FediMovies/fedimovies
1
1
Fork 0
Code Issues 3 Pull requests Packages Projects Releases Activity

Validate object ID length before saving post to database

Browse source
This commit is contained in:
silverpill 2023-04-05 23:52:52 +00:00
parent 20080333d0
commit 970071a9f0
3 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -24,6 +24,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
### Fixed ### Fixed
- Added missing `CHECK` constraints to database tables. - Added missing `CHECK` constraints to database tables.
- Validate object ID length before saving post to database.
## [1.19.1] - 2023-03-31 ## [1.19.1] - 2023-03-31

4
src/activitypub/handlers/create.rs
View file

@ -54,6 +54,7 @@ use crate::validators::{
EMOJIS_MAX_NUM, EMOJIS_MAX_NUM,
LINKS_MAX_NUM, LINKS_MAX_NUM,
MENTIONS_MAX_NUM, MENTIONS_MAX_NUM,
OBJECT_ID_SIZE_MAX,
}, },
tags::validate_hashtag, tags::validate_hashtag,
}; };
@ -551,6 +552,9 @@ pub async fn handle_note(
return Err(ValidationError("unsupported object type").into()); return Err(ValidationError("unsupported object type").into());
}, },
}; };
if object.id.len() > OBJECT_ID_SIZE_MAX {
return Err(ValidationError("object ID is too long").into());
};
let author_id = get_object_attributed_to(&object)?; let author_id = get_object_attributed_to(&object)?;
let author = get_or_import_profile_by_actor_id( let author = get_or_import_profile_by_actor_id(

1
src/validators/posts.rs
View file

@ -7,6 +7,7 @@ pub const MENTIONS_MAX_NUM: usize = 50;
pub const LINKS_MAX_NUM: usize = 10; pub const LINKS_MAX_NUM: usize = 10;
pub const EMOJIS_MAX_NUM: usize = 50; pub const EMOJIS_MAX_NUM: usize = 50;
pub const OBJECT_ID_SIZE_MAX: usize = 200;
pub const CONTENT_MAX_SIZE: usize = 100000; pub const CONTENT_MAX_SIZE: usize = 100000;
const CONTENT_ALLOWED_TAGS: [&str; 8] = [ const CONTENT_ALLOWED_TAGS: [&str; 8] = [
"a", "a",