SECURITY: Limit the character count of group membership requests (#19993)

When creating a group membership request, there is no character
limit on the 'reason' field. This can be potentially be used by
an attacker to create enormous amount of data in the database.

Co-authored-by: Ted Johansson <ted@discourse.org>

app/models/group_request.rb

@@ -1,8 +1,12 @@
 # frozen_string_literal: true
 
 class GroupRequest < ActiveRecord::Base
+  REASON_CHARACTER_LIMIT = 280
+
   belongs_to :group
   belongs_to :user
+
+  validates :reason, length: { maximum: REASON_CHARACTER_LIMIT }
 end
 
 # == Schema Information