SECURITY: Run custom field validations with save_custom_fields

app/models/concerns/has_custom_fields.rb

@@ -172,7 +172,7 @@ module HasCustomFields
     validate :custom_fields_max_items, unless: :custom_fields_clean?
     validate :custom_fields_value_length, unless: :custom_fields_clean?
 
-    after_save :save_custom_fields
+    after_save { save_custom_fields(run_validations: false) }
   end
 
   attr_reader :preloaded_custom_fields
@@ -265,7 +265,13 @@ module HasCustomFields
     on_custom_fields_change
   end
 
-  def save_custom_fields(force = false)
+  def save_custom_fields(force = false, run_validations: true)
+    if run_validations
+      custom_fields_max_items
+      custom_fields_value_length
+      raise_validation_error unless errors.empty?
+    end
+
     if force || !custom_fields_clean?
       ActiveRecord::Base.transaction do
         dup = @custom_fields.dup.with_indifferent_access

spec/lib/concern/has_custom_fields_spec.rb

@@ -406,6 +406,7 @@ RSpec.describe HasCustomFields do
 
       test_item.custom_fields = { "foo" => "aa" }
       expect { test_item.save! }.to raise_error(ActiveRecord::RecordInvalid)
+      expect { test_item.save_custom_fields }.to raise_error(ActiveRecord::RecordInvalid)
     end
 
     describe "upsert_custom_fields" do