SECURITY: Limit the character count of group membership requests (#19993)

When creating a group membership request, there is no character limit on the 'reason' field. This can be potentially be used by an attacker to create enormous amount of data in the database. Co-authored-by: Ted Johansson <ted@discourse.org>
2025-05-31 14:08:32 +08:00 · 2023-01-25 19:50:33 +08:00
parent f91ac52a22
commit d5745d34c2
4 changed files with 29 additions and 1 deletions
--- a/spec/models/group_request_spec.rb
+++ b/spec/models/group_request_spec.rb
@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+RSpec.describe GroupRequest do
+  it { is_expected.to belong_to :user }
+  it { is_expected.to belong_to :group }
+
+  it do
+    is_expected.to validate_length_of(:reason).is_at_most(described_class::REASON_CHARACTER_LIMIT)
+  end
+end