-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Requests: No Length Upper Boundary for Comment Messages #2731
Requests: No Length Upper Boundary for Comment Messages #2731
Comments
Questions:
|
How big do you consider this to be a security risk since the commenting is restricted only to users who have access to particular request? In most of the instances the users who are authenticated in the system are verified and part of the institution who runs the instance, therefore the malicious intent is quite limited. Please let me know if you are aware of other cases - otherwise I wouldn't consider this as a v12 release blocker |
Thanks for the comment @kpsherva . While logged-in users are generally trusted, risks include:
|
After a DM on Discord, it’s decided that v12 will focus on critical fixes due to resource constraints for testing. |
This issue was automatically marked as stale. |
This issue was automatically marked as stale. |
Package version (if known): v12rc2 / latest
Describe the bug
The comment feature in the Requests allows users to send comments with no limit on length, posing a security risk such as denial of service attacks or system crashes due to excessively long messages.
Steps to Reproduce
Expected behavior
The system should enforce a reasonable limit on the length of comments to prevent abuse and ensure stability.
Screenshots (if applicable)
Links:
https://github.com/fenekku/invenio-requests/blob/master/invenio_requests/customizations/event_types.py#L145
https://github.com/inveniosoftware/invenio-requests/blob/82dbf2885c8e777caa1c5163971ab5c31aca5398/invenio_requests/records/jsonschemas/requests/definitions-v1.0.0.json#L12
https://github.com/inveniosoftware/invenio-requests/blob/master/invenio_requests/services/events/service.py
The text was updated successfully, but these errors were encountered: