SECURITY: Limit URL length for theme remote (#20787)

2025-05-30 23:48:44 +08:00 · 2023-03-23 12:01:04 +00:00
parent 165a3217c8
commit b81767c1b1
4 changed files with 24 additions and 1 deletions
--- a/spec/requests/admin/themes_controller_spec.rb
+++ b/spec/requests/admin/themes_controller_spec.rb
@ -241,6 +241,12 @@ RSpec.describe Admin::ThemesController do
        expect(response.status).to eq(422)
      end

+      it "fails to import with a failing status" do
+        post "/admin/themes/import.json", params: { remote: "https://#{"a" * 10_000}.com" }
+
+        expect(response.status).to eq(422)
+      end
+
      it "can lookup a private key by public key" do
        Discourse.redis.setex("ssh_key_abcdef", 1.hour, "rsa private key")