Add configurable account field value length limit

2019-07-30 17:22:52 +07:00 · 2019-07-30 17:22:52 +07:00 · db3c05f6b4
parent 7d6f8a7fd7
commit db3c05f6b4
4 changed files with 33 additions and 7 deletions
--- a/config/config.exs
+++ b/config/config.exs
@ -256,6 +256,7 @@ config :pleroma, :instance,
  user_bio_length: 5000,
  user_name_length: 100,
  max_account_fields: 4,
+  account_field_value_length: 255,
  external_user_synchronization: true

 config :pleroma, :markup,
--- a/docs/config.md
+++ b/docs/config.md
@ -133,6 +133,7 @@ config :pleroma, Pleroma.Emails.Mailer,
 * `limit_to_local_content`: Limit unauthenticated users to search for local statutes and users only. Possible values: `:unauthenticated`, `:all` and `false`. The default is `:unauthenticated`.
 * `dynamic_configuration`: Allow transferring configuration to DB with the subsequent customization from Admin api.
 * `max_account_fields`: The maximum number of custom fields in the user profile (default: `4`)
+* `account_field_value_length`: An account field value maximum length (default: `255`)
 * `external_user_synchronization`: Enabling following/followers counters synchronization for external users.


--- a/lib/pleroma/user/info.ex
+++ b/lib/pleroma/user/info.ex
@ -308,7 +308,12 @@ defmodule Pleroma.User.Info do
  end

  defp valid_field?(%{"name" => name, "value" => value}) do
-    is_binary(name) && is_binary(value)
+    value_limit = Pleroma.Config.get([:instance, :account_field_value_length], 255)
+
+    is_binary(name) &&
+      is_binary(value) &&
+      String.length(name) <= 255 &&
+      String.length(value) <= value_limit
  end

  defp valid_field?(_), do: false
--- a/test/web/mastodon_api/mastodon_api_controller/update_credentials_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller/update_credentials_test.exs
@ -325,6 +325,26 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
               %{"name" => "link", "value" => "cofe.io"}
             ]

+      value_limit = Pleroma.Config.get([:instance, :account_field_value_length])
+
+      long_str = Enum.map(0..value_limit, fn _ -> "x" end) |> Enum.join()
+
+      fields = [%{"name" => "<b>foo<b>", "value" => long_str}]
+
+      assert %{"error" => "Invalid request"} ==
+               conn
+               |> assign(:user, user)
+               |> patch("/api/v1/accounts/update_credentials", %{"fields" => fields})
+               |> json_response(403)
+
+      fields = [%{"name" => long_str, "value" => "bar"}]
+
+      assert %{"error" => "Invalid request"} ==
+               conn
+               |> assign(:user, user)
+               |> patch("/api/v1/accounts/update_credentials", %{"fields" => fields})
+               |> json_response(403)
+
      Pleroma.Config.put([:instance, :max_account_fields], 1)

      fields = [
@ -332,12 +352,11 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
        %{"name" => "link", "value" => "cofe.io"}
      ]

-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{"fields" => fields})
-
-      assert %{"error" => "Invalid request"} == json_response(conn, 403)
+      assert %{"error" => "Invalid request"} ==
+               conn
+               |> assign(:user, user)
+               |> patch("/api/v1/accounts/update_credentials", %{"fields" => fields})
+               |> json_response(403)
    end
  end
 end