Validate media description length

Signed-off-by: marcin mikołajczak <git@mkljczk.pl>

2 files changed, 27 insertions, 3 deletions

diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
index c3cb72fab..517009253 100644
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -586,16 +586,18 @@ defmodule Pleroma.User do
     |> validate_length(:bio, max: bio_limit)
     |> validate_length(:name, min: 1, max: name_limit)
     |> validate_inclusion(:actor_type, Pleroma.Constants.allowed_user_actor_types())
+    |> validate_image_description(:avatar_description, params)
+    |> validate_image_description(:header_description, params)
     |> put_fields()
     |> put_emoji()
     |> put_change_if_present(:bio, &{:ok, parse_bio(&1, struct)})
     |> put_change_if_present(
       :avatar,
-      &put_upload(&1, :avatar, Map.get(params, :avatar_description, nil))
+      &put_upload(&1, :avatar, Map.get(params, :avatar_description))
     )
     |> put_change_if_present(
       :banner,
-      &put_upload(&1, :banner, Map.get(params, :header_description, nil))
+      &put_upload(&1, :banner, Map.get(params, :header_description))
     )
     |> put_change_if_present(:background, &put_upload(&1, :background))
     |> put_change_if_present(
@@ -689,7 +691,20 @@ defmodule Pleroma.User do
     end
   end
 
-  defp maybe_update_image_description(changeset, image_field, description) do
+  defp validate_image_description(changeset, key, params) do
+    description_limit = Config.get([:instance, :description_limit], 5_000)
+    description = Map.get(params, key)
+
+    if is_binary(description) and String.length(description) > description_limit do
+      changeset
+      |> add_error(key, "#{key} is too long")
+    else
+      changeset
+    end
+  end
+
+  defp maybe_update_image_description(changeset, image_field, description)
+       when is_binary(description) do
     with {:image_missing, true} <- {:image_missing, not changed?(changeset, image_field)},
          {:existing_image, %{"id" => id}} <-
            {:existing_image, Map.get(changeset.data, image_field)},
@@ -697,10 +712,13 @@ defmodule Pleroma.User do
          {:ok, object} <- Object.update_data(object, %{"name" => description}) do
       put_change(changeset, image_field, object.data)
     else
+      {:description_too_long, true} -> {:error}
       _ -> changeset
     end
   end
 
+  defp maybe_update_image_description(changeset, _, _), do: changeset
+
   def update_as_admin_changeset(struct, params) do
     struct
     |> update_changeset(params)
diff --git a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
index 2302d6ed8..68157b0c4 100644
--- a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
@@ -279,6 +279,12 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
       {:error, %Ecto.Changeset{errors: [{:name, {_, _}} | _]}} ->
         render_error(conn, :request_entity_too_large, "Name is too long")
 
+      {:error, %Ecto.Changeset{errors: [{:avatar_description, {_, _}} | _]}} ->
+        render_error(conn, :request_entity_too_large, "Avatar description is too long")
+
+      {:error, %Ecto.Changeset{errors: [{:header_description, {_, _}} | _]}} ->
+        render_error(conn, :request_entity_too_large, "Banner description is too long")
+
       {:error, %Ecto.Changeset{errors: [{:fields, {"invalid", _}} | _]}} ->
         render_error(conn, :request_entity_too_large, "One or more field entries are too long")