Validate media description length - pleroma - My custom branche(s) on git.pleroma.social/pleroma/pleroma

commit: c802f3b7f61e1c4bbe2f4eec757802e30f88b6a5
parent 855c5a234f4ca743303f1b88974665d7b9f58684
Author: marcin mikołajczak <git@mkljczk.pl>
Date:   Sat, 17 Aug 2024 19:58:32 +0200

Validate media description length

Signed-off-by: marcin mikołajczak <git@mkljczk.pl>

Diffstat:
M lib/pleroma/user.ex 24 +++++++++++++++++++++---
M lib/pleroma/web/mastodon_api/controllers/account_controller.ex 6 ++++++
M test/pleroma/web/mastodon_api/update_credentials_test.exs 27 +++++++++++++++++++++++++++

3 files changed, 54 insertions(+), 3 deletions(-)
diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
@@ -586,16 +586,18 @@ defmodule Pleroma.User do
     |> validate_length(:bio, max: bio_limit)
     |> validate_length(:name, min: 1, max: name_limit)
     |> validate_inclusion(:actor_type, Pleroma.Constants.allowed_user_actor_types())
+    |> validate_image_description(:avatar_description, params)
+    |> validate_image_description(:header_description, params)
     |> put_fields()
     |> put_emoji()
     |> put_change_if_present(:bio, &{:ok, parse_bio(&1, struct)})
     |> put_change_if_present(
       :avatar,
-      &put_upload(&1, :avatar, Map.get(params, :avatar_description, nil))
+      &put_upload(&1, :avatar, Map.get(params, :avatar_description))
     )
     |> put_change_if_present(
       :banner,
-      &put_upload(&1, :banner, Map.get(params, :header_description, nil))
+      &put_upload(&1, :banner, Map.get(params, :header_description))
     )
     |> put_change_if_present(:background, &put_upload(&1, :background))
     |> put_change_if_present(
@@ -689,7 +691,20 @@ defmodule Pleroma.User do
     end
   end
 
-  defp maybe_update_image_description(changeset, image_field, description) do
+  defp validate_image_description(changeset, key, params) do
+    description_limit = Config.get([:instance, :description_limit], 5_000)
+    description = Map.get(params, key)
+
+    if is_binary(description) and String.length(description) > description_limit do
+      changeset
+      |> add_error(key, "#{key} is too long")
+    else
+      changeset
+    end
+  end
+
+  defp maybe_update_image_description(changeset, image_field, description)
+       when is_binary(description) do
     with {:image_missing, true} <- {:image_missing, not changed?(changeset, image_field)},
          {:existing_image, %{"id" => id}} <-
            {:existing_image, Map.get(changeset.data, image_field)},
@@ -697,10 +712,13 @@ defmodule Pleroma.User do
          {:ok, object} <- Object.update_data(object, %{"name" => description}) do
       put_change(changeset, image_field, object.data)
     else
+      {:description_too_long, true} -> {:error}
       _ -> changeset
     end
   end
 
+  defp maybe_update_image_description(changeset, _, _), do: changeset
+
   def update_as_admin_changeset(struct, params) do
     struct
     |> update_changeset(params)
diff --git a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
@@ -279,6 +279,12 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
       {:error, %Ecto.Changeset{errors: [{:name, {_, _}} | _]}} ->
         render_error(conn, :request_entity_too_large, "Name is too long")
 
+      {:error, %Ecto.Changeset{errors: [{:avatar_description, {_, _}} | _]}} ->
+        render_error(conn, :request_entity_too_large, "Avatar description is too long")
+
+      {:error, %Ecto.Changeset{errors: [{:header_description, {_, _}} | _]}} ->
+        render_error(conn, :request_entity_too_large, "Banner description is too long")
+
       {:error, %Ecto.Changeset{errors: [{:fields, {"invalid", _}} | _]}} ->
         render_error(conn, :request_entity_too_large, "One or more field entries are too long")
 
diff --git a/test/pleroma/web/mastodon_api/update_credentials_test.exs b/test/pleroma/web/mastodon_api/update_credentials_test.exs
@@ -472,6 +472,33 @@ defmodule Pleroma.Web.MastodonAPI.UpdateCredentialsTest do
       assert user.avatar["name"] == "me and pleroma tan"
     end
 
+    test "limit", %{user: user, conn: conn} do
+      new_header = %Plug.Upload{
+        content_type: "image/jpeg",
+        path: Path.absname("test/fixtures/image.jpg"),
+        filename: "an_image.jpg"
+      }
+
+      assert user.banner == %{}
+
+      conn
+      |> patch("/api/v1/accounts/update_credentials", %{"header" => new_header})
+
+      description_limit = Config.get([:instance, :description_limit], 100)
+
+      description = String.duplicate(".", description_limit + 1)
+
+      conn =
+        conn
+        |> assign(:user, User.get_by_id(user.id))
+        |> patch("/api/v1/accounts/update_credentials", %{
+          "header_description" => description
+        })
+
+      assert %{"error" => "Banner description is too long"} =
+               json_response_and_validate_schema(conn, 413)
+    end
+
     test "Strip / from upload files", %{user: user, conn: conn} do
       new_image = %Plug.Upload{
         content_type: "image/jpeg",

M	lib/pleroma/user.ex	24	+++++++++++++++++++++---
M	lib/pleroma/web/mastodon_api/controllers/account_controller.ex	6	++++++
M	test/pleroma/web/mastodon_api/update_credentials_test.exs	27	+++++++++++++++++++++++++++