Admin->Basic Configuration: Receiver name can be arbitrarily long about globaleaks HOT 10 CLOSED

Ok, I'm ready to fix this.

I can put a limit, that if overcome would return an error (e.g. > than 40 unicode char length, return InvalidInputFormat error) but this perhaps need to be written in the "hint" of the client.

plus, this check would be performed also in email ( > 40), password ( < 6 and > 40) and description ( > 400)

sounds fine as hard coded limits ?

@hellais @fpietrosanti @evilaliv3

from globaleaks.

Sounds fine to me

from globaleaks.

@hellais can you also put a cap/limit on the client-side?

from globaleaks.

Why do we need to have limits to the size of inputs?

I mean these inputs are things that are configurable by the node admin. If the node admin wants to have a receiver description of more than 400 chars I don't see why we should prohibit them from doing so.

If there are some fields that should be of a certain length because they look better, then we should identify them and provide some visual feedback to the user as to how much text the should be inputting in the textarea/input box.

from globaleaks.

Good, anyhow we should have limits for certain fields's size.

Due to the fact that this does only impact the "visualization" of elements, we may just put those limits into GLClient without enforcing it on GLBackend.

That way the fields that should reasonably have a maximum limits will be client side (i mean, like the name of receiver, that's the one for which i just opened the ticket).

from globaleaks.

I'll put those limits checks, and the maximum size would be configurable in the settings (now) and in the configure (when it came to be implemented, shortly) or in the admin web page (if requested). I agree that the limits need to be configurable, but at the moment is missing also the part of code that accept those data (I believe the best way is to implement the validation function in Storm), then need to be done.

from globaleaks.

This has been implemented in the client: https://github.com/globaleaks/GLClient/commit/b375cfba08780d6b90800a69deb45d4c38011e0d

from globaleaks.

For the time being lets just stick to validating the length of the name of the receivers.

from globaleaks.

... this is wrong, if I make a pentest on this app, the second POST I made is composed of two megabyte of data :)

  def test_5_create_huge_submission(self):
       submission_request = dict(SubmissionTest.aSubmission)

       submission_request['receivers'] = [ SubmissionTest.receiver_used['receiver_gus']  ]
       submission_request['context_gus'] = SubmissionTest.context_used['context_gus']
       submission_request['wb_fields']['headline'] = unicode("A" * 1000 * 1000)
       submission_request['wb_fields']['Sun'] = unicode("B" * 1000 * 1000)
       submission_request['finalize'] = True

It works! but, is what we want ?

from globaleaks.

Implemented validator for Storm, in:
https://github.com/globaleaks/GLBackend/commit/42e3b277d49bb2a1f99bd908195bfe8bb5da6910 and tested.

now there are three hardcoded limits:

1. the "name" fields need to be > than 0 and < than 128
2. the "description" fiels need to be < than 1024
3. all the unicode values, inside a dict or directly in the DB, had a limit of 2048

Those limits are written in settings.py, and checked before save in the DB a certain value.

from globaleaks.