[bugfix] Use []rune to check length of user-submitted text (#948)

This commit is contained in:
tobi 2022-11-03 14:38:06 +01:00 committed by GitHub
parent f3fc040c2e
commit bd05040133
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 40 additions and 32 deletions

View File

@ -92,26 +92,26 @@ func (m *Module) AppsPOSTHandler(c *gin.Context) {
return return
} }
if len(form.ClientName) > formFieldLen { if len([]rune(form.ClientName)) > formFieldLen {
err := fmt.Errorf("client_name must be less than %d bytes", formFieldLen) err := fmt.Errorf("client_name must be less than %d characters", formFieldLen)
api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGet) api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGet)
return return
} }
if len(form.RedirectURIs) > formRedirectLen { if len([]rune(form.RedirectURIs)) > formRedirectLen {
err := fmt.Errorf("redirect_uris must be less than %d bytes", formRedirectLen) err := fmt.Errorf("redirect_uris must be less than %d characters", formRedirectLen)
api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGet) api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGet)
return return
} }
if len(form.Scopes) > formFieldLen { if len([]rune(form.Scopes)) > formFieldLen {
err := fmt.Errorf("scopes must be less than %d bytes", formFieldLen) err := fmt.Errorf("scopes must be less than %d characters", formFieldLen)
api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGet) api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGet)
return return
} }
if len(form.Website) > formFieldLen { if len([]rune(form.Website)) > formFieldLen {
err := fmt.Errorf("website must be less than %d bytes", formFieldLen) err := fmt.Errorf("website must be less than %d characters", formFieldLen)
api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGet) api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGet)
return return
} }

View File

@ -163,8 +163,8 @@ func validateCreateMedia(form *model.AttachmentRequest) error {
return fmt.Errorf("file size limit exceeded: limit is %d bytes but attachment was %d bytes", maxSize, form.File.Size) return fmt.Errorf("file size limit exceeded: limit is %d bytes but attachment was %d bytes", maxSize, form.File.Size)
} }
if len(form.Description) > maxDescriptionChars { if length := len([]rune(form.Description)); length > maxDescriptionChars {
return fmt.Errorf("image description length must be between %d and %d characters (inclusive), but provided image description was %d chars", minDescriptionChars, maxDescriptionChars, len(form.Description)) return fmt.Errorf("image description length must be between %d and %d characters (inclusive), but provided image description was %d chars", minDescriptionChars, maxDescriptionChars, length)
} }
return nil return nil

View File

@ -142,8 +142,8 @@ func validateUpdateMedia(form *model.AttachmentUpdateRequest) error {
maxDescriptionChars := config.GetMediaDescriptionMaxChars() maxDescriptionChars := config.GetMediaDescriptionMaxChars()
if form.Description != nil { if form.Description != nil {
if len(*form.Description) < minDescriptionChars || len(*form.Description) > maxDescriptionChars { if length := len([]rune(*form.Description)); length < minDescriptionChars || length > maxDescriptionChars {
return fmt.Errorf("image description length must be between %d and %d characters (inclusive), but provided image description was %d chars", minDescriptionChars, maxDescriptionChars, len(*form.Description)) return fmt.Errorf("image description length must be between %d and %d characters (inclusive), but provided image description was %d chars", minDescriptionChars, maxDescriptionChars, length)
} }
} }

View File

@ -124,8 +124,8 @@ func validateCreateStatus(form *model.AdvancedStatusCreateForm) error {
maxCwChars := config.GetStatusesCWMaxChars() maxCwChars := config.GetStatusesCWMaxChars()
if form.Status != "" { if form.Status != "" {
if len(form.Status) > maxChars { if length := len([]rune(form.Status)); length > maxChars {
return fmt.Errorf("status too long, %d characters provided but limit is %d", len(form.Status), maxChars) return fmt.Errorf("status too long, %d characters provided but limit is %d", length, maxChars)
} }
} }
@ -141,15 +141,15 @@ func validateCreateStatus(form *model.AdvancedStatusCreateForm) error {
return fmt.Errorf("too many poll options provided, %d provided but limit is %d", len(form.Poll.Options), maxPollOptions) return fmt.Errorf("too many poll options provided, %d provided but limit is %d", len(form.Poll.Options), maxPollOptions)
} }
for _, p := range form.Poll.Options { for _, p := range form.Poll.Options {
if len(p) > maxPollChars { if length := len([]rune(p)); length > maxPollChars {
return fmt.Errorf("poll option too long, %d characters provided but limit is %d", len(p), maxPollChars) return fmt.Errorf("poll option too long, %d characters provided but limit is %d", length, maxPollChars)
} }
} }
} }
if form.SpoilerText != "" { if form.SpoilerText != "" {
if len(form.SpoilerText) > maxCwChars { if length := len([]rune(form.SpoilerText)); length > maxCwChars {
return fmt.Errorf("content-warning/spoilertext too long, %d characters provided but limit is %d", len(form.SpoilerText), maxCwChars) return fmt.Errorf("content-warning/spoilertext too long, %d characters provided but limit is %d", length, maxCwChars)
} }
} }

View File

@ -50,7 +50,7 @@ func NewPassword(password string) error {
return errors.New("no password provided") return errors.New("no password provided")
} }
if len(password) > maximumPasswordLength { if len([]rune(password)) > maximumPasswordLength {
return fmt.Errorf("password should be no more than %d chars", maximumPasswordLength) return fmt.Errorf("password should be no more than %d chars", maximumPasswordLength)
} }
@ -113,12 +113,14 @@ func SignUpReason(reason string, reasonRequired bool) error {
return errors.New("no reason provided") return errors.New("no reason provided")
} }
if len(reason) < minimumReasonLength { length := len([]rune(reason))
return fmt.Errorf("reason should be at least %d chars but '%s' was %d", minimumReasonLength, reason, len(reason))
if length < minimumReasonLength {
return fmt.Errorf("reason should be at least %d chars but '%s' was %d", minimumReasonLength, reason, length)
} }
if len(reason) > maximumReasonLength { if length > maximumReasonLength {
return fmt.Errorf("reason should be no more than %d chars but given reason was %d", maximumReasonLength, len(reason)) return fmt.Errorf("reason should be no more than %d chars but given reason was %d", maximumReasonLength, length)
} }
return nil return nil
} }
@ -164,7 +166,7 @@ func CustomCSS(customCSS string) error {
return errors.New("accounts-allow-custom-css is not enabled for this instance") return errors.New("accounts-allow-custom-css is not enabled for this instance")
} }
if length := len(customCSS); length > maximumCustomCSSLength { if length := len([]rune(customCSS)); length > maximumCustomCSSLength {
return fmt.Errorf("custom_css must be less than %d characters, but submitted custom_css was %d characters", maximumCustomCSSLength, length) return fmt.Errorf("custom_css must be less than %d characters, but submitted custom_css was %d characters", maximumCustomCSSLength, length)
} }
return nil return nil
@ -182,8 +184,8 @@ func EmojiShortcode(shortcode string) error {
// SiteTitle ensures that the given site title is within spec. // SiteTitle ensures that the given site title is within spec.
func SiteTitle(siteTitle string) error { func SiteTitle(siteTitle string) error {
if len(siteTitle) > maximumSiteTitleLength { if length := len([]rune(siteTitle)); length > maximumSiteTitleLength {
return fmt.Errorf("site title should be no more than %d chars but given title was %d", maximumSiteTitleLength, len(siteTitle)) return fmt.Errorf("site title should be no more than %d chars but given title was %d", maximumSiteTitleLength, length)
} }
return nil return nil
@ -191,8 +193,8 @@ func SiteTitle(siteTitle string) error {
// SiteShortDescription ensures that the given site short description is within spec. // SiteShortDescription ensures that the given site short description is within spec.
func SiteShortDescription(d string) error { func SiteShortDescription(d string) error {
if len(d) > maximumShortDescriptionLength { if length := len([]rune(d)); length > maximumShortDescriptionLength {
return fmt.Errorf("short description should be no more than %d chars but given description was %d", maximumShortDescriptionLength, len(d)) return fmt.Errorf("short description should be no more than %d chars but given description was %d", maximumShortDescriptionLength, length)
} }
return nil return nil
@ -200,8 +202,8 @@ func SiteShortDescription(d string) error {
// SiteDescription ensures that the given site description is within spec. // SiteDescription ensures that the given site description is within spec.
func SiteDescription(d string) error { func SiteDescription(d string) error {
if len(d) > maximumDescriptionLength { if length := len([]rune(d)); length > maximumDescriptionLength {
return fmt.Errorf("description should be no more than %d chars but given description was %d", maximumDescriptionLength, len(d)) return fmt.Errorf("description should be no more than %d chars but given description was %d", maximumDescriptionLength, length)
} }
return nil return nil
@ -209,8 +211,8 @@ func SiteDescription(d string) error {
// SiteTerms ensures that the given site terms string is within spec. // SiteTerms ensures that the given site terms string is within spec.
func SiteTerms(t string) error { func SiteTerms(t string) error {
if len(t) > maximumSiteTermsLength { if length := len([]rune(t)); length > maximumSiteTermsLength {
return fmt.Errorf("terms should be no more than %d chars but given terms was %d", maximumSiteTermsLength, len(t)) return fmt.Errorf("terms should be no more than %d chars but given terms was %d", maximumSiteTermsLength, length)
} }
return nil return nil

View File

@ -233,6 +233,7 @@ func (suite *ValidationTestSuite) TestValidateReason() {
badReason := "because" badReason := "because"
goodReason := "to smash the state and destroy capitalism ultimately and completely" goodReason := "to smash the state and destroy capitalism ultimately and completely"
tooLong := "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Mauris auctor mollis viverra. Maecenas maximus mollis sem, nec fermentum velit consectetur non. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia curae; Quisque a enim nibh. Vestibulum bibendum leo ac porttitor auctor. Curabitur velit tellus, facilisis vitae lorem a, ullamcorper efficitur leo. Sed a auctor tortor. Sed ut finibus ante, sit amet laoreet sapien. Donec ullamcorper tellus a nibh sodales vulputate. Donec id dolor eu odio mollis bibendum. Pellentesque habitant morbi tristique senectus et netus at." tooLong := "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Mauris auctor mollis viverra. Maecenas maximus mollis sem, nec fermentum velit consectetur non. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia curae; Quisque a enim nibh. Vestibulum bibendum leo ac porttitor auctor. Curabitur velit tellus, facilisis vitae lorem a, ullamcorper efficitur leo. Sed a auctor tortor. Sed ut finibus ante, sit amet laoreet sapien. Donec ullamcorper tellus a nibh sodales vulputate. Donec id dolor eu odio mollis bibendum. Pellentesque habitant morbi tristique senectus et netus at."
unicode := "⎾⎿⏀⏁⏂⏃⏄⏅⏆⏇"
var err error var err error
// check with no reason required // check with no reason required
@ -256,6 +257,11 @@ func (suite *ValidationTestSuite) TestValidateReason() {
assert.Equal(suite.T(), nil, err) assert.Equal(suite.T(), nil, err)
} }
err = validate.SignUpReason(unicode, false)
if assert.NoError(suite.T(), err) {
assert.Equal(suite.T(), nil, err)
}
// check with reason required // check with reason required
err = validate.SignUpReason(empty, true) err = validate.SignUpReason(empty, true)
if assert.Error(suite.T(), err) { if assert.Error(suite.T(), err) {