From b6e98134a05a78f2b2373160382a939edb9b3118 Mon Sep 17 00:00:00 2001 From: Sven Sauleau Date: Wed, 22 Feb 2023 13:19:20 +0000 Subject: [PATCH] limit status to 500 chars --- backend/src/errors/index.ts | 6 +++++- backend/test/mastodon/statuses.spec.ts | 20 ++++++++++++++++++++ functions/api/v1/statuses.ts | 4 ++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/backend/src/errors/index.ts b/backend/src/errors/index.ts index c1f552b..63b22cf 100644 --- a/backend/src/errors/index.ts +++ b/backend/src/errors/index.ts @@ -7,7 +7,7 @@ type ErrorResponse = { const headers = { ...cors(), - 'content-type': 'application/json', + 'content-type': 'application/json; charset=utf-8', } as const function generateErrorResponse(error: string, status: number, errorDescription?: string): Response { @@ -57,3 +57,7 @@ export function exceededLimit(detail: string): Response { export function resourceNotFound(name: string, id: string): Response { return generateErrorResponse('Resource not found', 404, `${name} "${id}" not found`) } + +export function validationError(detail: string): Response { + return generateErrorResponse('Validation failed', 422, detail) +} diff --git a/backend/test/mastodon/statuses.spec.ts b/backend/test/mastodon/statuses.spec.ts index 9025200..41f64a2 100644 --- a/backend/test/mastodon/statuses.spec.ts +++ b/backend/test/mastodon/statuses.spec.ts @@ -1010,5 +1010,25 @@ describe('Mastodon APIs', () => { assert.equal(results![0].object_id, note.id.toString()) assert.equal(results![1].object_id, note.id.toString()) }) + + test('reject statuses exceeding limits', async () => { + const db = await makeDB() + const queue = makeQueue() + const actor = await createPerson(domain, db, userKEK, 'sven@cloudflare.com') + + const body = { + status: 'a'.repeat(501), + visibility: 'public', + } + const req = new Request('https://example.com', { + method: 'POST', + headers: { 'content-type': 'application/json' }, + body: JSON.stringify(body), + }) + + const res = await statuses.handleRequest(req, db, actor, userKEK, queue, cache) + assert.equal(res.status, 422) + assertJSON(res) + }) }) }) diff --git a/functions/api/v1/statuses.ts b/functions/api/v1/statuses.ts index e1912b4..8a31595 100644 --- a/functions/api/v1/statuses.ts +++ b/functions/api/v1/statuses.ts @@ -74,6 +74,10 @@ export async function handleRequest( return new Response('', { status: 400 }) } + if (body.status.length > 500) { + return errors.validationError('text character limit of 500 exceeded') + } + const mediaAttachments: Array = [] if (body.media_ids && body.media_ids.length > 0) { if (body.media_ids.length > 4) {