From bd05040133ec5ce5b431e05d8c873195d9501d6d Mon Sep 17 00:00:00 2001 From: tobi <31960611+tsmethurst@users.noreply.github.com> Date: Thu, 3 Nov 2022 14:38:06 +0100 Subject: [PATCH] [bugfix] Use []rune to check length of user-submitted text (#948) --- internal/api/client/app/appcreate.go | 16 ++++++------ internal/api/client/media/mediacreate.go | 4 +-- internal/api/client/media/mediaupdate.go | 4 +-- internal/api/client/status/statuscreate.go | 12 ++++----- internal/validate/formvalidation.go | 30 ++++++++++++---------- internal/validate/formvalidation_test.go | 6 +++++ 6 files changed, 40 insertions(+), 32 deletions(-) diff --git a/internal/api/client/app/appcreate.go b/internal/api/client/app/appcreate.go index 641357d42..c79c528d9 100644 --- a/internal/api/client/app/appcreate.go +++ b/internal/api/client/app/appcreate.go @@ -92,26 +92,26 @@ func (m *Module) AppsPOSTHandler(c *gin.Context) { return } - if len(form.ClientName) > formFieldLen { - err := fmt.Errorf("client_name must be less than %d bytes", formFieldLen) + if len([]rune(form.ClientName)) > formFieldLen { + err := fmt.Errorf("client_name must be less than %d characters", formFieldLen) api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGet) return } - if len(form.RedirectURIs) > formRedirectLen { - err := fmt.Errorf("redirect_uris must be less than %d bytes", formRedirectLen) + if len([]rune(form.RedirectURIs)) > formRedirectLen { + err := fmt.Errorf("redirect_uris must be less than %d characters", formRedirectLen) api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGet) return } - if len(form.Scopes) > formFieldLen { - err := fmt.Errorf("scopes must be less than %d bytes", formFieldLen) + if len([]rune(form.Scopes)) > formFieldLen { + err := fmt.Errorf("scopes must be less than %d characters", formFieldLen) api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGet) return } - if len(form.Website) > formFieldLen { - err := fmt.Errorf("website must be less than %d bytes", formFieldLen) + if len([]rune(form.Website)) > formFieldLen { + err := fmt.Errorf("website must be less than %d characters", formFieldLen) api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGet) return } diff --git a/internal/api/client/media/mediacreate.go b/internal/api/client/media/mediacreate.go index 62f4a0d4e..dcaba5d5b 100644 --- a/internal/api/client/media/mediacreate.go +++ b/internal/api/client/media/mediacreate.go @@ -163,8 +163,8 @@ func validateCreateMedia(form *model.AttachmentRequest) error { return fmt.Errorf("file size limit exceeded: limit is %d bytes but attachment was %d bytes", maxSize, form.File.Size) } - if len(form.Description) > maxDescriptionChars { - return fmt.Errorf("image description length must be between %d and %d characters (inclusive), but provided image description was %d chars", minDescriptionChars, maxDescriptionChars, len(form.Description)) + if length := len([]rune(form.Description)); length > maxDescriptionChars { + return fmt.Errorf("image description length must be between %d and %d characters (inclusive), but provided image description was %d chars", minDescriptionChars, maxDescriptionChars, length) } return nil diff --git a/internal/api/client/media/mediaupdate.go b/internal/api/client/media/mediaupdate.go index fb0e67ddc..438eaca23 100644 --- a/internal/api/client/media/mediaupdate.go +++ b/internal/api/client/media/mediaupdate.go @@ -142,8 +142,8 @@ func validateUpdateMedia(form *model.AttachmentUpdateRequest) error { maxDescriptionChars := config.GetMediaDescriptionMaxChars() if form.Description != nil { - if len(*form.Description) < minDescriptionChars || len(*form.Description) > maxDescriptionChars { - return fmt.Errorf("image description length must be between %d and %d characters (inclusive), but provided image description was %d chars", minDescriptionChars, maxDescriptionChars, len(*form.Description)) + if length := len([]rune(*form.Description)); length < minDescriptionChars || length > maxDescriptionChars { + return fmt.Errorf("image description length must be between %d and %d characters (inclusive), but provided image description was %d chars", minDescriptionChars, maxDescriptionChars, length) } } diff --git a/internal/api/client/status/statuscreate.go b/internal/api/client/status/statuscreate.go index 13aa5d173..3b2ee1e05 100644 --- a/internal/api/client/status/statuscreate.go +++ b/internal/api/client/status/statuscreate.go @@ -124,8 +124,8 @@ func validateCreateStatus(form *model.AdvancedStatusCreateForm) error { maxCwChars := config.GetStatusesCWMaxChars() if form.Status != "" { - if len(form.Status) > maxChars { - return fmt.Errorf("status too long, %d characters provided but limit is %d", len(form.Status), maxChars) + if length := len([]rune(form.Status)); length > maxChars { + return fmt.Errorf("status too long, %d characters provided but limit is %d", length, maxChars) } } @@ -141,15 +141,15 @@ func validateCreateStatus(form *model.AdvancedStatusCreateForm) error { return fmt.Errorf("too many poll options provided, %d provided but limit is %d", len(form.Poll.Options), maxPollOptions) } for _, p := range form.Poll.Options { - if len(p) > maxPollChars { - return fmt.Errorf("poll option too long, %d characters provided but limit is %d", len(p), maxPollChars) + if length := len([]rune(p)); length > maxPollChars { + return fmt.Errorf("poll option too long, %d characters provided but limit is %d", length, maxPollChars) } } } if form.SpoilerText != "" { - if len(form.SpoilerText) > maxCwChars { - return fmt.Errorf("content-warning/spoilertext too long, %d characters provided but limit is %d", len(form.SpoilerText), maxCwChars) + if length := len([]rune(form.SpoilerText)); length > maxCwChars { + return fmt.Errorf("content-warning/spoilertext too long, %d characters provided but limit is %d", length, maxCwChars) } } diff --git a/internal/validate/formvalidation.go b/internal/validate/formvalidation.go index c51c17922..ccf5e6504 100644 --- a/internal/validate/formvalidation.go +++ b/internal/validate/formvalidation.go @@ -50,7 +50,7 @@ func NewPassword(password string) error { return errors.New("no password provided") } - if len(password) > maximumPasswordLength { + if len([]rune(password)) > maximumPasswordLength { return fmt.Errorf("password should be no more than %d chars", maximumPasswordLength) } @@ -113,12 +113,14 @@ func SignUpReason(reason string, reasonRequired bool) error { return errors.New("no reason provided") } - if len(reason) < minimumReasonLength { - return fmt.Errorf("reason should be at least %d chars but '%s' was %d", minimumReasonLength, reason, len(reason)) + length := len([]rune(reason)) + + if length < minimumReasonLength { + return fmt.Errorf("reason should be at least %d chars but '%s' was %d", minimumReasonLength, reason, length) } - if len(reason) > maximumReasonLength { - return fmt.Errorf("reason should be no more than %d chars but given reason was %d", maximumReasonLength, len(reason)) + if length > maximumReasonLength { + return fmt.Errorf("reason should be no more than %d chars but given reason was %d", maximumReasonLength, length) } return nil } @@ -164,7 +166,7 @@ func CustomCSS(customCSS string) error { return errors.New("accounts-allow-custom-css is not enabled for this instance") } - if length := len(customCSS); length > maximumCustomCSSLength { + if length := len([]rune(customCSS)); length > maximumCustomCSSLength { return fmt.Errorf("custom_css must be less than %d characters, but submitted custom_css was %d characters", maximumCustomCSSLength, length) } return nil @@ -182,8 +184,8 @@ func EmojiShortcode(shortcode string) error { // SiteTitle ensures that the given site title is within spec. func SiteTitle(siteTitle string) error { - if len(siteTitle) > maximumSiteTitleLength { - return fmt.Errorf("site title should be no more than %d chars but given title was %d", maximumSiteTitleLength, len(siteTitle)) + if length := len([]rune(siteTitle)); length > maximumSiteTitleLength { + return fmt.Errorf("site title should be no more than %d chars but given title was %d", maximumSiteTitleLength, length) } return nil @@ -191,8 +193,8 @@ func SiteTitle(siteTitle string) error { // SiteShortDescription ensures that the given site short description is within spec. func SiteShortDescription(d string) error { - if len(d) > maximumShortDescriptionLength { - return fmt.Errorf("short description should be no more than %d chars but given description was %d", maximumShortDescriptionLength, len(d)) + if length := len([]rune(d)); length > maximumShortDescriptionLength { + return fmt.Errorf("short description should be no more than %d chars but given description was %d", maximumShortDescriptionLength, length) } return nil @@ -200,8 +202,8 @@ func SiteShortDescription(d string) error { // SiteDescription ensures that the given site description is within spec. func SiteDescription(d string) error { - if len(d) > maximumDescriptionLength { - return fmt.Errorf("description should be no more than %d chars but given description was %d", maximumDescriptionLength, len(d)) + if length := len([]rune(d)); length > maximumDescriptionLength { + return fmt.Errorf("description should be no more than %d chars but given description was %d", maximumDescriptionLength, length) } return nil @@ -209,8 +211,8 @@ func SiteDescription(d string) error { // SiteTerms ensures that the given site terms string is within spec. func SiteTerms(t string) error { - if len(t) > maximumSiteTermsLength { - return fmt.Errorf("terms should be no more than %d chars but given terms was %d", maximumSiteTermsLength, len(t)) + if length := len([]rune(t)); length > maximumSiteTermsLength { + return fmt.Errorf("terms should be no more than %d chars but given terms was %d", maximumSiteTermsLength, length) } return nil diff --git a/internal/validate/formvalidation_test.go b/internal/validate/formvalidation_test.go index ff40b1dfb..f52b7402f 100644 --- a/internal/validate/formvalidation_test.go +++ b/internal/validate/formvalidation_test.go @@ -233,6 +233,7 @@ func (suite *ValidationTestSuite) TestValidateReason() { badReason := "because" goodReason := "to smash the state and destroy capitalism ultimately and completely" tooLong := "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Mauris auctor mollis viverra. Maecenas maximus mollis sem, nec fermentum velit consectetur non. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia curae; Quisque a enim nibh. Vestibulum bibendum leo ac porttitor auctor. Curabitur velit tellus, facilisis vitae lorem a, ullamcorper efficitur leo. Sed a auctor tortor. Sed ut finibus ante, sit amet laoreet sapien. Donec ullamcorper tellus a nibh sodales vulputate. Donec id dolor eu odio mollis bibendum. Pellentesque habitant morbi tristique senectus et netus at." + unicode := "⎾⎿⏀⏁⏂⏃⏄⏅⏆⏇" var err error // check with no reason required @@ -256,6 +257,11 @@ func (suite *ValidationTestSuite) TestValidateReason() { assert.Equal(suite.T(), nil, err) } + err = validate.SignUpReason(unicode, false) + if assert.NoError(suite.T(), err) { + assert.Equal(suite.T(), nil, err) + } + // check with reason required err = validate.SignUpReason(empty, true) if assert.Error(suite.T(), err) {