SECURITY: Limit user profile field length (#18302)

Adds limits to location and website fields at model and DB level
to match the bio_raw field limits. A limit cannot be added at the
DB level for bio_raw because it is a postgres text field.

Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
This commit is contained in:
Martin Brennan
2022-09-21 12:07:06 +10:00
committed by GitHub
parent b98cd73ace
commit e69f7d2fd9
3 changed files with 38 additions and 4 deletions

View File

@ -42,6 +42,15 @@ RSpec.describe UserProfile do
end
end
context "when it is > 3000 characters" do
before { profile.location = "a" * 3500 }
it "is not valid" do
expect(profile.valid?).to eq(false)
expect(profile.errors.full_messages).to include(/Location is too long \(maximum is 3000 characters\)/)
end
end
context "when it does not contain watched words" do
it { is_expected.to be_valid }
end
@ -63,6 +72,15 @@ RSpec.describe UserProfile do
end
end
context "when it is > 3000 characters" do
before { profile.bio_raw = "a" * 3500 }
it "is not valid" do
expect(profile.valid?).to eq(false)
expect(profile.errors.full_messages).to include(/About Me is too long \(maximum is 3000 characters\)/)
end
end
context "when it does not contain watched words" do
it { is_expected.to be_valid }
end
@ -129,6 +147,11 @@ RSpec.describe UserProfile do
user_profile.website = 'user - https://forum.example.com/user'
expect { user_profile.save! }.to raise_error(ActiveRecord::RecordInvalid)
end
it "does not allow > 3000 characters" do
user_profile.website = "a" * 3500
expect(user_profile).to_not be_valid
end
end
describe 'after save' do