Limit notes lengths to mitigate potential DoS

GrottoPress · Jul 27, 2024 · a05930e · a05930e
1 parent cd7012c
commit a05930e
Show file tree

Hide file tree

Showing 9 changed files with 77 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Changed
 - Upgrade GitHub actions
 - Limit description lengths to mitigate potential DoS
+- Limit notes lengths to mitigate potential DoS
 
 ## [0.17.0] - 2024-06-02
 

diff --git a/docs/10-I18N.md b/docs/10-I18N.md
@@ -100,6 +100,7 @@ en:
       invoice_items_empty: Invoice has no line items
       invoice_not_finalized: Invoice is not finalized
       invoice_not_found: Invoice does not exist
+      notes_too_long: Notes cannot be longer than %{max} characters
       price_lte_zero: Price must be greater than zero
       price_required: Price is required
       quantity_lte_zero: Quantity must be greater than zero

diff --git a/spec/bill/operations/mixins/validate_credit_note_spec.cr b/spec/bill/operations/mixins/validate_credit_note_spec.cr
@@ -1,7 +1,7 @@
 require "../../../spec_helper"
 
 private class SaveCreditNote < CreditNote::SaveOperation
-  permit_columns :invoice_id, :description, :reference, :status
+  permit_columns :invoice_id, :description, :notes, :reference, :status
 
   include Bill::ValidateCreditNote
 end
@@ -115,4 +115,20 @@ describe Bill::ValidateCreditNote do
         .should(have_error "operation.error.description_too_long")
     end
   end
+
+  it "rejects long notes" do
+    user = UserFactory.create
+    invoice = InvoiceFactory.create &.user_id(user.id).status(:open)
+
+    SaveCreditNote.create(params(
+      invoice_id: invoice.id,
+      notes: "n" * 5000,
+      reference: "123",
+      status: :open
+    )) do |operation, credit_note|
+      credit_note.should be_nil
+
+      operation.notes.should(have_error "operation.error.notes_too_long")
+    end
+  end
 end
diff --git a/spec/bill/operations/mixins/validate_invoice_spec.cr b/spec/bill/operations/mixins/validate_invoice_spec.cr
@@ -5,6 +5,7 @@ private class SaveInvoice < Invoice::SaveOperation
     :business_details,
     :description,
     :due_at,
+    :notes,
     :reference,
     :status,
     :user_details
@@ -150,4 +151,22 @@ describe Bill::ValidateInvoice do
         .should(have_error "operation.error.description_too_long")
     end
   end
+
+  it "rejects long notes" do
+    user = UserFactory.create
+
+    SaveInvoice.create(params(
+      user_id: user.id,
+      business_details: "ACME Inc",
+      due_at: 1.day.from_now,
+      notes: "n" * 5000,
+      reference: "123",
+      status: :open,
+      user_details: "Mary Smith"
+    )) do |operation, invoice|
+      invoice.should be_nil
+
+      operation.notes.should(have_error "operation.error.notes_too_long")
+    end
+  end
 end
diff --git a/spec/bill/operations/mixins/validate_receipt_spec.cr b/spec/bill/operations/mixins/validate_receipt_spec.cr
@@ -5,6 +5,7 @@ private class SaveReceipt < Receipt::SaveOperation
     :amount,
     :business_details,
     :description,
+    :notes,
     :reference,
     :status,
     :user_details
@@ -184,4 +185,22 @@ describe Bill::ValidateReceipt do
         .should(have_error "operation.error.description_too_long")
     end
   end
+
+  it "rejects long notes" do
+    user = UserFactory.create
+
+    SaveReceipt.create(params(
+      user_id: user.id,
+      business_details: "ACME Inc",
+      amount: 90,
+      notes: "n" * 5000,
+      reference: "123",
+      status: :open,
+      user_details: "Mary Smith"
+    )) do |operation, receipt|
+      receipt.should be_nil
+
+      operation.notes.should(have_error "operation.error.notes_too_long")
+    end
+  end
 end
diff --git a/src/bill/operations/mixins/validate_credit_note.cr b/src/bill/operations/mixins/validate_credit_note.cr
@@ -14,6 +14,7 @@ module Bill::ValidateCreditNote
     include Bill::ValidateStatusTransition
     include Bill::ValidateReference
     include Bill::ValidateDescription
+    include Bill::ValidateNotes
 
     private def validate_status_required
       validate_required status,

diff --git a/src/bill/operations/mixins/validate_invoice.cr b/src/bill/operations/mixins/validate_invoice.cr
@@ -13,6 +13,7 @@ module Bill::ValidateInvoice
     include Bill::ValidateStatusTransition
     include Bill::ValidateReference
     include Bill::ValidateDescription
+    include Bill::ValidateNotes
     include Lucille::ValidateUserExists
 
     private def validate_business_details_required

diff --git a/src/bill/operations/mixins/validate_notes.cr b/src/bill/operations/mixins/validate_notes.cr
@@ -0,0 +1,17 @@
+module Bill::ValidateNotes
+  macro included
+    skip_default_validations
+
+    before_save do
+      validate_notes_length
+    end
+
+    private def validate_notes_length
+      max = 4094
+
+      validate_size_of notes,
+        max: max,
+        message: Rex.t(:"operation.error.notes_too_long", max: max)
+    end
+  end
+end
diff --git a/src/bill/operations/mixins/validate_receipt.cr b/src/bill/operations/mixins/validate_receipt.cr
@@ -15,6 +15,7 @@ module Bill::ValidateReceipt
     include Bill::ValidateStatusTransition
     include Bill::ValidateReference
     include Bill::ValidateDescription
+    include Bill::ValidateNotes
     include Lucille::ValidateUserExists
 
     private def validate_amount_required