diff options
author | Arjun Satarkar <me@arjunsatarkar.net> | 2023-08-04 13:38:33 +0000 |
---|---|---|
committer | Arjun Satarkar <me@arjunsatarkar.net> | 2023-08-04 13:38:33 +0000 |
commit | 3da9b211b2d0b552859ec24c05ba26d18d887f2b (patch) | |
tree | e34be3b8a1892bae17941a08da0f2f1ad4214533 | |
parent | b0675aba922d680c2e9d5e0dc0337ac81d1ce086 (diff) | |
download | tagrss-3da9b211b2d0b552859ec24c05ba26d18d887f2b.tar tagrss-3da9b211b2d0b552859ec24c05ba26d18d887f2b.tar.gz tagrss-3da9b211b2d0b552859ec24c05ba26d18d887f2b.zip |
Set (high) limit on tag length
Like the earlier added limit on number of tags on a given feed, this is
necessary to reduce DoS potential.
-rw-r--r-- | Dockerfile | 2 | ||||
-rw-r--r-- | pyrightconfig.json | 3 | ||||
-rwxr-xr-x | serve.py | 28 |
3 files changed, 25 insertions, 8 deletions
@@ -9,4 +9,4 @@ EXPOSE 8000 STOPSIGNAL SIGINT -CMD ["python3", "-O", "serve.py", "--host", "0.0.0.0", "--storage-path", "/tagrss_data/tagrss_data.db"] +CMD ["./serve.py", "--host", "0.0.0.0", "--storage-path", "/tagrss_data/tagrss_data.db"] diff --git a/pyrightconfig.json b/pyrightconfig.json index 9c2d55a..3aba5d1 100644 --- a/pyrightconfig.json +++ b/pyrightconfig.json @@ -1,3 +1,4 @@ { - "typeCheckingMode": "basic" + "typeCheckingMode": "basic", + "reportUnnecessaryTypeIgnoreComment": true }
\ No newline at end of file @@ -20,6 +20,7 @@ import tagrss MAX_PER_PAGE_ENTRIES = 1000 DEFAULT_PER_PAGE_ENTRIES = 50 MAX_TAGS = 100 +MAX_TAG_LENGTH = 200 logging.basicConfig( format='%(levelname)s:%(name)s:"%(asctime)s":%(message)s', @@ -70,6 +71,20 @@ def serialise_tags(tags: list[str]) -> str: return result +def validate_tags(tags: list[str]) -> typing.Optional[bottle.HTTPError]: + if len(tags) > MAX_TAGS: + return bottle.HTTPError(400, f"A feed cannot have more than {MAX_TAGS} tags.") + else: + for tag in tags: + length = len(tag) + if length > MAX_TAG_LENGTH: + return bottle.HTTPError( + 400, + f"A tag cannot be longer than {MAX_TAG_LENGTH} characters. The " + f"following tag provided violates this: {tag}.", + ) + + @bottle.get("/") def index(): per_page: int = min( @@ -165,8 +180,9 @@ def add_feed_effect(): tags = parse_space_separated_tags(bottle.request.forms.get("tags")) # type: ignore custom_title: str = bottle.request.forms.get("title") # type: ignore - if len(tags) > MAX_TAGS: - raise bottle.HTTPError(400, f"A feed cannot have more than {MAX_TAGS} tags.") + tag_validation_error = validate_tags(tags) + if tag_validation_error: + raise tag_validation_error try: feed_id = core.add_feed( @@ -238,9 +254,9 @@ def manage_feed_effect(): title=bottle.request.forms["title"], # type: ignore tags=parse_space_separated_tags(serialised_tags), ) - assert feed.tags - if len(feed.tags) > MAX_TAGS: - raise bottle.HTTPError(400, f"A feed cannot have more than {MAX_TAGS} tags.") + tag_validation_error = validate_tags(feed.tags) # type: ignore + if tag_validation_error: + raise tag_validation_error try: core.set_feed_source(feed.id, feed.source) except tagrss.FeedSourceAlreadyExistsError: @@ -257,7 +273,7 @@ def manage_feed_effect(): f"Cannot change title to {feed.title} as there is already a feed with" " that title.", ) - core.set_feed_tags(feed.id, feed.tags) + core.set_feed_tags(feed.id, feed.tags) # type: ignore logging.info(f"Edited details of feed {feed.id}.") return bottle.template( "manage_feed", feed=feed, serialised_tags=serialised_tags, after_update=True |