mirror of
https://github.com/discourse/discourse.git
synced 2025-05-31 12:27:16 +08:00
SECURITY: Limit the character count of group membership requests (#19993)
When creating a group membership request, there is no character limit on the 'reason' field. This can be potentially be used by an attacker to create enormous amount of data in the database. Co-authored-by: Ted Johansson <ted@discourse.org>
This commit is contained in:
10
spec/models/group_request_spec.rb
Normal file
10
spec/models/group_request_spec.rb
Normal file
@ -0,0 +1,10 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
RSpec.describe GroupRequest do
|
||||
it { is_expected.to belong_to :user }
|
||||
it { is_expected.to belong_to :group }
|
||||
|
||||
it do
|
||||
is_expected.to validate_length_of(:reason).is_at_most(described_class::REASON_CHARACTER_LIMIT)
|
||||
end
|
||||
end
|
Reference in New Issue
Block a user