limit Actor properties

2023-02-22 13:48:09 +00:00 · 2023-02-22 13:48:09 +00:00 · d43a5d316d
commit d43a5d316d
--- a/backend/src/activitypub/actors/index.ts
+++ b/backend/src/activitypub/actors/index.ts
@ -47,12 +47,21 @@ export async function get(url: string | URL): Promise<Actor> {

 	if (actor.summary) {
 		actor.summary = await sanitizeContent(actor.summary)
+		if (actor.summary.length > 500) {
+			actor.summary = actor.summary.substring(0, 500)
+		}
 	}
 	if (actor.name) {
 		actor.name = await getTextContent(actor.name)
+		if (actor.name.length > 30) {
+			actor.name = actor.name.substring(0, 30)
+		}
 	}
 	if (actor.preferredUsername) {
 		actor.preferredUsername = await getTextContent(actor.preferredUsername)
+		if (actor.preferredUsername.length > 30) {
+			actor.preferredUsername = actor.preferredUsername.substring(0, 30)
+		}
 	}

 	// This is mostly for testing where for convenience not all values
--- a/backend/test/activitypub.spec.ts
+++ b/backend/test/activitypub.spec.ts
@ -83,6 +83,28 @@ describe('ActivityPub', () => {
 			assert.equal(actor.name, 'hi hey')
 			assert.equal(actor.preferredUsername, 'sven alert(1)')
 		})
+
+		test('Actor properties limits', async () => {
+			globalThis.fetch = async (input: RequestInfo) => {
+				if (input === 'https://example.com/actor') {
+					return new Response(
+						JSON.stringify({
+							id: 'https://example.com/actor',
+							type: 'Person',
+							summary: 'a'.repeat(612),
+							name: 'b'.repeat(50),
+							preferredUsername: 'c'.repeat(50),
+						})
+					)
+				}
+				throw new Error(`unexpected request to "${input}"`)
+			}
+
+			const actor = await actors.get('https://example.com/actor')
+			assert.equal(actor.summary, 'a'.repeat(500))
+			assert.equal(actor.name, 'b'.repeat(30))
+			assert.equal(actor.preferredUsername, 'c'.repeat(30))
+		})
 	})

 	describe('Outbox', () => {