SECURITY: Limit chat message char length (#19207)

Only allow maximum of 6000 characters for chat messages when they are created or edited. A hidden setting can control this limit, 6000 is the default. There is also a migration here to truncate any existing messages to 6000 characters if the message is already over that and if the chat_messages table exists. We also set cooked_version to NULL for those messages so we can identify them for rebake.
2025-05-21 18:12:32 +08:00 · 2022-11-28 10:48:30 +10:00
parent a71f6cf09b
commit 3de765c895
8 changed files with 99 additions and 17 deletions
--- a/plugins/chat/spec/requests/incoming_chat_webhooks_controller_spec.rb
+++ b/plugins/chat/spec/requests/incoming_chat_webhooks_controller_spec.rb
@ -19,10 +19,10 @@ RSpec.describe Chat::IncomingChatWebhooksController do
      expect(response.status).to eq(400)
    end

-    it "errors when the body is over WEBHOOK_MAX_MESSAGE_LENGTH characters" do
+    it "errors when the body is over chat_maximum_message_length characters" do
      post "/chat/hooks/#{webhook.key}.json",
           params: {
-             text: "$" * (Chat::IncomingChatWebhooksController::WEBHOOK_MAX_MESSAGE_LENGTH + 1),
+             text: "$" * (SiteSetting.chat_maximum_message_length + 1),
           }
      expect(response.status).to eq(400)
    end