github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Limit the character count of group membership requests (#19993)

Browse Source 
When creating a group membership request, there is no character
limit on the 'reason' field. This can be potentially be used by
an attacker to create enormous amount of data in the database.

Co-authored-by: Ted Johansson <ted@discourse.org>
This commit is contained in:
Natalie Tay
2023-01-25 19:50:33 +08:00
committed by GitHub
parent f91ac52a22
commit d5745d34c2
4 changed files with 29 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
spec/requests/groups_controller_spec.rb
View File

@ -2198,6 +2198,20 @@ RSpec.describe GroupsController do
expect(response.status).to eq(409)
end
it "limits the character count of the reason" do
sign_in(user)
post "/groups/#{group.name}/request_membership.json",
params: {
reason: "x" * (GroupRequest::REASON_CHARACTER_LIMIT + 1),
}
expect(response.status).to eq(422)
expect(response.parsed_body["errors"]).to contain_exactly(
"Reason is too long (maximum is 280 characters)",
)
end
it "should create the right PM" do
owner1 = Fabricate(:user, last_seen_at: Time.zone.now)
owner2 = Fabricate(:user, last_seen_at: Time.zone.now - 1.day)