Limit last name length to mitigate potential DoS

GrottoPress · Jul 28, 2024 · df8071e · df8071e
1 parent 4f73d70
commit df8071e
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 0 deletions.
diff --git a/lang/en.yml b/lang/en.yml
@@ -310,6 +310,7 @@ en:
       ip_address_required: IP address could not be determined
       last_name_invalid: Last name is not a valid name
       last_name_required: Last name is required
+      last_name_too_long: Last name cannot be longer than %{max} characters
       level_required: Level is required
       login_failed: Email or password is incorrect
       login_notify_required: Login notification was not set

diff --git a/spec/app/operations/mixins/validate_user_spec.cr b/spec/app/operations/mixins/validate_user_spec.cr
@@ -72,4 +72,15 @@ describe Mixins::ValidateUser do
       operation.first_name.should have_error("longer than")
     end
   end
+
+  it "rejects long last name" do
+    SaveUser.create(params(
+      first_name: "Kiddi",
+      last_name: "l" * 300,
+      level: :author
+    )) do |operation, _|
+      operation.saved?.should be_false
+      operation.last_name.should have_error("longer than")
+    end
+  end
 end
diff --git a/src/operations/mixins/validate_user.cr b/src/operations/mixins/validate_user.cr
@@ -9,6 +9,7 @@ module Mixins::ValidateUser
       validate_last_name_valid
 
       validate_first_name_length
+      validate_last_name_length
     end
 
     private def validate_first_name_required
@@ -42,5 +43,13 @@ module Mixins::ValidateUser
         max: max,
         message: Rex.t(:"operation.error.first_name_too_long", max: max)
     end
+
+    private def validate_last_name_length
+      max = 255
+
+      validate_size_of last_name,
+        max: max,
+        message: Rex.t(:"operation.error.last_name_too_long", max: max)
+    end
   end
 end