SECURITY: Limit chat drafts length and preloaded count (#19987)

Only allow maximum of `50_000` characters for chat drafts. A hidden `max_chat_draft_length` setting can control this limit. A migration is also provided to delete any abusive draft in the database. The number of drafts loaded on current user has also been limited and ordered by most recent update. Note that spec files moved are not directly related to the fix. Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com> Co-authored-by: Régis Hanol <regis@hanol.fr>
2025-05-21 18:12:32 +08:00 · 2023-01-25 19:50:10 +08:00
parent ec2ed5b7f6
commit 5eaf080239
11 changed files with 121 additions and 4 deletions
--- a/plugins/chat/plugin.rb
+++ b/plugins/chat/plugin.rb
@ -448,6 +448,8 @@ after_initialize do
  add_to_serializer(:current_user, :chat_drafts) do
    ChatDraft
      .where(user_id: object.id)
+      .order(updated_at: :desc)
+      .limit(20)
      .pluck(:chat_channel_id, :data)
      .map { |row| { channel_id: row[0], data: row[1] } }
  end