SECURITY: Limit user profile field length (#18302)

Adds limits to location and website fields at model and DB level to match the bio_raw field limits. A limit cannot be added at the DB level for bio_raw because it is a postgres text field. Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2025-05-29 23:08:25 +08:00 · 2022-09-21 12:07:06 +10:00
parent b98cd73ace
commit e69f7d2fd9
3 changed files with 38 additions and 4 deletions
--- a/spec/models/user_profile_spec.rb
+++ b/spec/models/user_profile_spec.rb
@ -42,6 +42,15 @@ RSpec.describe UserProfile do
        end
      end

+      context "when it is > 3000 characters" do
+        before { profile.location = "a" * 3500 }
+
+        it "is not valid" do
+          expect(profile.valid?).to eq(false)
+          expect(profile.errors.full_messages).to include(/Location is too long \(maximum is 3000 characters\)/)
+        end
+      end
+
      context "when it does not contain watched words" do
        it { is_expected.to be_valid }
      end
@ -63,6 +72,15 @@ RSpec.describe UserProfile do
        end
      end

+      context "when it is > 3000 characters" do
+        before { profile.bio_raw = "a" * 3500 }
+
+        it "is not valid" do
+          expect(profile.valid?).to eq(false)
+          expect(profile.errors.full_messages).to include(/About Me is too long \(maximum is 3000 characters\)/)
+        end
+      end
+
      context "when it does not contain watched words" do
        it { is_expected.to be_valid }
      end
@ -129,6 +147,11 @@ RSpec.describe UserProfile do
        user_profile.website = 'user - https://forum.example.com/user'
        expect { user_profile.save! }.to raise_error(ActiveRecord::RecordInvalid)
      end
+
+      it "does not allow > 3000 characters" do
+        user_profile.website = "a" * 3500
+        expect(user_profile).to_not be_valid
+      end
    end

    describe 'after save' do