SECURITY: Limit number of drafts per user and length of draft_key

The hidden site setting max_drafts_per_user defaults to 10_000 drafts per user. The longest key should be "topic_<MAX_BIG_INT>" which is 25 characters.
2025-05-21 18:12:32 +08:00 · 2023-07-28 13:04:18 +02:00
parent c1b5faa5fd
commit e3a2446874
6 changed files with 71 additions and 0 deletions
--- a/app/controllers/drafts_controller.rb
+++ b/app/controllers/drafts_controller.rb
@ -40,6 +40,19 @@ class DraftsController < ApplicationController
      raise Discourse::InvalidParameters.new(:data)
    end

+    if reached_max_drafts_per_user?(params)
+      render_json_error I18n.t("draft.too_many_drafts.title"),
+                        status: 403,
+                        extras: {
+                          description:
+                            I18n.t(
+                              "draft.too_many_drafts.description",
+                              base_url: Discourse.base_url,
+                            ),
+                        }
+      return
+    end
+
    sequence =
      begin
        Draft.set(
@ -115,4 +128,13 @@ class DraftsController < ApplicationController

    render json: success_json
  end
+
+  private
+
+  def reached_max_drafts_per_user?(params)
+    user_id = current_user.id
+
+    Draft.where(user_id: user_id).count >= SiteSetting.max_drafts_per_user &&
+      !Draft.exists?(user_id: user_id, draft_key: params[:draft_key])
+  end
 end