commit fc524f8cf16761f949303a96bca14e63c46ceda8
parent 45f961a9fe65127980e0e12a46ac4ac8f5b5752b
Author: tobi <31960611+tsmethurst@users.noreply.github.com>
Date: Thu, 25 May 2023 15:18:15 +0200
[feature] Configurable custom css length (#1827)
* [feature] Make accounts custom css length configurable
* test custom css validation
Diffstat:
9 files changed, 174 insertions(+), 89 deletions(-)
diff --git a/docs/configuration/accounts.md b/docs/configuration/accounts.md
@@ -39,4 +39,11 @@ accounts-reason-required: true
# Options: [true, false]
# Default: false
accounts-allow-custom-css: false
+
+# Int. If accounts-allow-custom-css is true, this is the permitted length in characters for
+# CSS uploaded by accounts on this instance. No effect if accounts-allow-custom-css is false.
+#
+# Examples: [500, 5000, 9999]
+# Default: 10000
+accounts-custom-css-length: 10000
```
diff --git a/example/config.yaml b/example/config.yaml
@@ -433,6 +433,13 @@ accounts-reason-required: true
# Default: false
accounts-allow-custom-css: false
+# Int. If accounts-allow-custom-css is true, this is the permitted length in characters for
+# CSS uploaded by accounts on this instance. No effect if accounts-allow-custom-css is false.
+#
+# Examples: [500, 5000, 9999]
+# Default: 10000
+accounts-custom-css-length: 10000
+
########################
##### MEDIA CONFIG #####
########################
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -85,6 +85,7 @@ type Configuration struct {
AccountsApprovalRequired bool `name:"accounts-approval-required" usage:"Do account signups require approval by an admin or moderator before user can log in? If false, new registrations will be automatically approved."`
AccountsReasonRequired bool `name:"accounts-reason-required" usage:"Do new account signups require a reason to be submitted on registration?"`
AccountsAllowCustomCSS bool `name:"accounts-allow-custom-css" usage:"Allow accounts to enable custom CSS for their profile pages and statuses."`
+ AccountsCustomCSSLength int `name:"accounts-custom-css-length" usage:"Maximum permitted length (characters) of custom CSS for accounts."`
MediaImageMaxSize bytesize.Size `name:"media-image-max-size" usage:"Max size of accepted images in bytes"`
MediaVideoMaxSize bytesize.Size `name:"media-video-max-size" usage:"Max size of accepted videos in bytes"`
diff --git a/internal/config/defaults.go b/internal/config/defaults.go
@@ -65,6 +65,7 @@ var Defaults = Configuration{
AccountsApprovalRequired: true,
AccountsReasonRequired: true,
AccountsAllowCustomCSS: false,
+ AccountsCustomCSSLength: 10000,
MediaImageMaxSize: 10 * bytesize.MiB,
MediaVideoMaxSize: 40 * bytesize.MiB,
diff --git a/internal/config/helpers.gen.go b/internal/config/helpers.gen.go
@@ -74,6 +74,31 @@ func GetLogDbQueries() bool { return global.GetLogDbQueries() }
// SetLogDbQueries safely sets the value for global configuration 'LogDbQueries' field
func SetLogDbQueries(v bool) { global.SetLogDbQueries(v) }
+// GetLogClientIP safely fetches the Configuration value for state's 'LogClientIP' field
+func (st *ConfigState) GetLogClientIP() (v bool) {
+ st.mutex.Lock()
+ v = st.config.LogClientIP
+ st.mutex.Unlock()
+ return
+}
+
+// SetLogClientIP safely sets the Configuration value for state's 'LogClientIP' field
+func (st *ConfigState) SetLogClientIP(v bool) {
+ st.mutex.Lock()
+ defer st.mutex.Unlock()
+ st.config.LogClientIP = v
+ st.reloadToViper()
+}
+
+// LogClientIPFlag returns the flag name for the 'LogClientIP' field
+func LogClientIPFlag() string { return "log-client-ip" }
+
+// GetLogClientIP safely fetches the value for global configuration 'LogClientIP' field
+func GetLogClientIP() bool { return global.GetLogClientIP() }
+
+// SetLogClientIP safely sets the value for global configuration 'LogClientIP' field
+func SetLogClientIP(v bool) { global.SetLogClientIP(v) }
+
// GetApplicationName safely fetches the Configuration value for state's 'ApplicationName' field
func (st *ConfigState) GetApplicationName() (v string) {
st.mutex.Lock()
@@ -924,6 +949,31 @@ func GetAccountsAllowCustomCSS() bool { return global.GetAccountsAllowCustomCSS(
// SetAccountsAllowCustomCSS safely sets the value for global configuration 'AccountsAllowCustomCSS' field
func SetAccountsAllowCustomCSS(v bool) { global.SetAccountsAllowCustomCSS(v) }
+// GetAccountsCustomCSSLength safely fetches the Configuration value for state's 'AccountsCustomCSSLength' field
+func (st *ConfigState) GetAccountsCustomCSSLength() (v int) {
+ st.mutex.Lock()
+ v = st.config.AccountsCustomCSSLength
+ st.mutex.Unlock()
+ return
+}
+
+// SetAccountsCustomCSSLength safely sets the Configuration value for state's 'AccountsCustomCSSLength' field
+func (st *ConfigState) SetAccountsCustomCSSLength(v int) {
+ st.mutex.Lock()
+ defer st.mutex.Unlock()
+ st.config.AccountsCustomCSSLength = v
+ st.reloadToViper()
+}
+
+// AccountsCustomCSSLengthFlag returns the flag name for the 'AccountsCustomCSSLength' field
+func AccountsCustomCSSLengthFlag() string { return "accounts-custom-css-length" }
+
+// GetAccountsCustomCSSLength safely fetches the value for global configuration 'AccountsCustomCSSLength' field
+func GetAccountsCustomCSSLength() int { return global.GetAccountsCustomCSSLength() }
+
+// SetAccountsCustomCSSLength safely sets the value for global configuration 'AccountsCustomCSSLength' field
+func SetAccountsCustomCSSLength(v int) { global.SetAccountsCustomCSSLength(v) }
+
// GetMediaImageMaxSize safely fetches the Configuration value for state's 'MediaImageMaxSize' field
func (st *ConfigState) GetMediaImageMaxSize() (v bytesize.Size) {
st.mutex.Lock()
@@ -3829,28 +3879,3 @@ func GetRequestIDHeader() string { return global.GetRequestIDHeader() }
// SetRequestIDHeader safely sets the value for global configuration 'RequestIDHeader' field
func SetRequestIDHeader(v string) { global.SetRequestIDHeader(v) }
-
-// GetLogClientIP safely fetches the Configuration value for state's 'LogClientIP' field
-func (st *ConfigState) GetLogClientIP() (v bool) {
- st.mutex.Lock()
- v = st.config.LogClientIP
- st.mutex.Unlock()
- return
-}
-
-// SetLogClientIP safely sets the Configuration value for state's 'LogClientIP' field
-func (st *ConfigState) SetLogClientIP(v bool) {
- st.mutex.Lock()
- defer st.mutex.Unlock()
- st.config.LogClientIP = v
- st.reloadToViper()
-}
-
-// LogClientIPFlag returns the flag name for the 'LogClientIP' field
-func LogClientIPFlag() string { return "log-client-ip" }
-
-// GetLogClientIP safely fetches the value for global configuration 'LogClientIP' field
-func GetLogClientIP() bool { return global.GetLogClientIP() }
-
-// SetLogClientIP safely sets the value for global configuration 'LogClientIP' field
-func SetLogClientIP(v bool) { global.SetLogClientIP(v) }
diff --git a/internal/validate/formvalidation.go b/internal/validate/formvalidation.go
@@ -41,7 +41,6 @@ const (
maximumDescriptionLength = 5000
maximumSiteTermsLength = 5000
maximumUsernameLength = 64
- maximumCustomCSSLength = 5000
maximumEmojiCategoryLength = 64
maximumProfileFieldLength = 255
maximumProfileFields = 6
@@ -170,9 +169,11 @@ func CustomCSS(customCSS string) error {
return errors.New("accounts-allow-custom-css is not enabled for this instance")
}
+ maximumCustomCSSLength := config.GetAccountsCustomCSSLength()
if length := len([]rune(customCSS)); length > maximumCustomCSSLength {
return fmt.Errorf("custom_css must be less than %d characters, but submitted custom_css was %d characters", maximumCustomCSSLength, length)
}
+
return nil
}
diff --git a/internal/validate/formvalidation_test.go b/internal/validate/formvalidation_test.go
@@ -22,8 +22,8 @@ import (
"fmt"
"testing"
- "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/suite"
+ "github.com/superseriousbusiness/gotosocial/internal/config"
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
"github.com/superseriousbusiness/gotosocial/internal/validate"
)
@@ -44,43 +44,43 @@ func (suite *ValidationTestSuite) TestCheckPasswordStrength() {
var err error
err = validate.NewPassword(empty)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("no password provided"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("no password provided"), err)
}
err = validate.NewPassword(terriblePassword)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("password is only 62% strength, try including more special characters, using uppercase letters, using numbers or using a longer password"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("password is only 62% strength, try including more special characters, using uppercase letters, using numbers or using a longer password"), err)
}
err = validate.NewPassword(weakPassword)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("password is only 95% strength, try including more special characters, using numbers or using a longer password"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("password is only 95% strength, try including more special characters, using numbers or using a longer password"), err)
}
err = validate.NewPassword(shortPassword)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("password is only 39% strength, try including more special characters or using a longer password"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("password is only 39% strength, try including more special characters or using a longer password"), err)
}
err = validate.NewPassword(specialPassword)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("password is only 53% strength, try including more special characters or using a longer password"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("password is only 53% strength, try including more special characters or using a longer password"), err)
}
err = validate.NewPassword(longPassword)
- if assert.NoError(suite.T(), err) {
- assert.Equal(suite.T(), nil, err)
+ if suite.NoError(err) {
+ suite.Equal(nil, err)
}
err = validate.NewPassword(tooLong)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("password should be no more than 256 chars"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("password should be no more than 256 chars"), err)
}
err = validate.NewPassword(strongPassword)
- if assert.NoError(suite.T(), err) {
- assert.Equal(suite.T(), nil, err)
+ if suite.NoError(err) {
+ suite.Equal(nil, err)
}
}
@@ -133,28 +133,28 @@ func (suite *ValidationTestSuite) TestValidateEmail() {
var err error
err = validate.Email(empty)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("no email provided"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("no email provided"), err)
}
err = validate.Email(notAnEmailAddress)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("mail: missing '@' or angle-addr"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("mail: missing '@' or angle-addr"), err)
}
err = validate.Email(almostAnEmailAddress)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("mail: no angle-addr"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("mail: no angle-addr"), err)
}
err = validate.Email(aWebsite)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("mail: missing '@' or angle-addr"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("mail: missing '@' or angle-addr"), err)
}
err = validate.Email(emailAddress)
- if assert.NoError(suite.T(), err) {
- assert.Equal(suite.T(), nil, err)
+ if suite.NoError(err) {
+ suite.Equal(nil, err)
}
}
@@ -171,48 +171,48 @@ func (suite *ValidationTestSuite) TestValidateLanguage() {
var err error
err = validate.Language(empty)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("no language provided"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("no language provided"), err)
}
err = validate.Language(notALanguage)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("language: tag is not well-formed"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("language: tag is not well-formed"), err)
}
err = validate.Language(english)
- if assert.NoError(suite.T(), err) {
- assert.Equal(suite.T(), nil, err)
+ if suite.NoError(err) {
+ suite.Equal(nil, err)
}
err = validate.Language(capitalEnglish)
- if assert.NoError(suite.T(), err) {
- assert.Equal(suite.T(), nil, err)
+ if suite.NoError(err) {
+ suite.Equal(nil, err)
}
err = validate.Language(arabic3Letters)
- if assert.NoError(suite.T(), err) {
- assert.Equal(suite.T(), nil, err)
+ if suite.NoError(err) {
+ suite.Equal(nil, err)
}
err = validate.Language(mixedCapsEnglish)
- if assert.NoError(suite.T(), err) {
- assert.Equal(suite.T(), nil, err)
+ if suite.NoError(err) {
+ suite.Equal(nil, err)
}
err = validate.Language(englishUS)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("language: tag is not well-formed"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("language: tag is not well-formed"), err)
}
err = validate.Language(dutch)
- if assert.NoError(suite.T(), err) {
- assert.Equal(suite.T(), nil, err)
+ if suite.NoError(err) {
+ suite.Equal(nil, err)
}
err = validate.Language(german)
- if assert.NoError(suite.T(), err) {
- assert.Equal(suite.T(), nil, err)
+ if suite.NoError(err) {
+ suite.Equal(nil, err)
}
}
@@ -226,49 +226,49 @@ func (suite *ValidationTestSuite) TestValidateReason() {
// check with no reason required
err = validate.SignUpReason(empty, false)
- if assert.NoError(suite.T(), err) {
- assert.Equal(suite.T(), nil, err)
+ if suite.NoError(err) {
+ suite.Equal(nil, err)
}
err = validate.SignUpReason(badReason, false)
- if assert.NoError(suite.T(), err) {
- assert.Equal(suite.T(), nil, err)
+ if suite.NoError(err) {
+ suite.Equal(nil, err)
}
err = validate.SignUpReason(tooLong, false)
- if assert.NoError(suite.T(), err) {
- assert.Equal(suite.T(), nil, err)
+ if suite.NoError(err) {
+ suite.Equal(nil, err)
}
err = validate.SignUpReason(goodReason, false)
- if assert.NoError(suite.T(), err) {
- assert.Equal(suite.T(), nil, err)
+ if suite.NoError(err) {
+ suite.Equal(nil, err)
}
err = validate.SignUpReason(unicode, false)
- if assert.NoError(suite.T(), err) {
- assert.Equal(suite.T(), nil, err)
+ if suite.NoError(err) {
+ suite.Equal(nil, err)
}
// check with reason required
err = validate.SignUpReason(empty, true)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("no reason provided"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("no reason provided"), err)
}
err = validate.SignUpReason(badReason, true)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("reason should be at least 40 chars but 'because' was 7"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("reason should be at least 40 chars but 'because' was 7"), err)
}
err = validate.SignUpReason(tooLong, true)
- if assert.Error(suite.T(), err) {
- assert.Equal(suite.T(), errors.New("reason should be no more than 500 chars but given reason was 600"), err)
+ if suite.Error(err) {
+ suite.Equal(errors.New("reason should be no more than 500 chars but given reason was 600"), err)
}
err = validate.SignUpReason(goodReason, true)
- if assert.NoError(suite.T(), err) {
- assert.Equal(suite.T(), nil, err)
+ if suite.NoError(err) {
+ suite.Equal(nil, err)
}
}
@@ -302,6 +302,46 @@ func (suite *ValidationTestSuite) TestValidateProfileField() {
suite.Len(dodgyFields[0].Value, 255)
}
+func (suite *ValidationTestSuite) TestValidateCustomCSSDisabled() {
+ config.SetAccountsAllowCustomCSS(false)
+
+ err := validate.CustomCSS("this will fail")
+ suite.EqualError(err, "accounts-allow-custom-css is not enabled for this instance")
+}
+
+func (suite *ValidationTestSuite) TestValidateCustomCSSEnabled() {
+ config.SetAccountsAllowCustomCSS(true)
+
+ err := validate.CustomCSS("this will pass")
+ suite.NoError(err)
+}
+
+func (suite *ValidationTestSuite) TestValidateCustomCSSTooLong() {
+ config.SetAccountsAllowCustomCSS(true)
+ config.SetAccountsCustomCSSLength(5)
+
+ err := validate.CustomCSS("this will fail")
+ suite.EqualError(err, "custom_css must be less than 5 characters, but submitted custom_css was 14 characters")
+}
+
+func (suite *ValidationTestSuite) TestValidateCustomCSSTooLongZalgo() {
+ config.SetAccountsAllowCustomCSS(true)
+ config.SetAccountsCustomCSSLength(5)
+ zalgo := "p̵̹̜͇̺̜̱͊̓̈́͛̀͊͘͜e̷̡̱̲̼̪̗̙̐͐̃́̄̉͛̔e̷̞̰̜̲̥̘̻͔̜̞̬͚͋̊͑͗̅̓͛͗̎̃̈́̐̂̕͝ ̷̨̢̡̱̖̤͇̻͕̲̤̞̑ͅp̶̰̜̟̠̏̇̇̆̐̒͋̔͘ḛ̵̾͘ę̷̝͙͕͓͓̱̠̤̳̻̜̗͖̞͙̻̆̓̄͋̎͊̀̋̿́̐͛͗̄̈́̚͠ ̵̨̨̫͕̲͚̮͕̳̉̾̔̍͐p̶̘̞̠̘̎̓̍̑̀͗̃̈́͂́̈́͆͘͜͝͝o̶̜͛̒͒̉̑͒̿͗̐̃͝o̵̼̒͌̓ ̵̢̗̦͔͉͈̰̘̋̃̐̑̅̽̏̄̅͐͆̔͊̃̋͝p̵̩̱̆̆͂̂͛̓̋̅͝o̶̪̰̲̝̻̳̦̮̮͔̒ͅơ̸̧̨̟͇̪̰̜̠̦͇̇̎͗̏̏̈́͂̉̏͐́̃̀͆͠ͅ"
+
+ err := validate.CustomCSS(zalgo)
+ suite.EqualError(err, "custom_css must be less than 5 characters, but submitted custom_css was 275 characters")
+}
+
+func (suite *ValidationTestSuite) TestValidateCustomCSSTooLongUnicode() {
+ config.SetAccountsAllowCustomCSS(true)
+ config.SetAccountsCustomCSSLength(5)
+ unicode := "⎾⎿⏀⏁⏂⏃⏄⏅⏆⏇"
+
+ err := validate.CustomCSS(unicode)
+ suite.EqualError(err, "custom_css must be less than 5 characters, but submitted custom_css was 10 characters")
+}
+
func TestValidationTestSuite(t *testing.T) {
suite.Run(t, new(ValidationTestSuite))
}
diff --git a/test/envparsing.sh b/test/envparsing.sh
@@ -7,6 +7,7 @@ EXPECT=$(cat <<"EOF"
"account-domain": "peepee",
"accounts-allow-custom-css": true,
"accounts-approval-required": false,
+ "accounts-custom-css-length": 5000,
"accounts-reason-required": false,
"accounts-registration-open": true,
"advanced-cookies-samesite": "strict",
@@ -207,6 +208,7 @@ GTS_INSTANCE_EXPOSE_SUSPENDED_WEB=true \
GTS_INSTANCE_EXPOSE_PUBLIC_TIMELINE=true \
GTS_INSTANCE_DELIVER_TO_SHARED_INBOXES=false \
GTS_ACCOUNTS_ALLOW_CUSTOM_CSS=true \
+GTS_ACCOUNTS_CUSTOM_CSS_LENGTH=5000 \
GTS_ACCOUNTS_REGISTRATION_OPEN=true \
GTS_ACCOUNTS_APPROVAL_REQUIRED=false \
GTS_ACCOUNTS_REASON_REQUIRED=false \
diff --git a/testrig/config.go b/testrig/config.go
@@ -71,6 +71,7 @@ var testDefaults = config.Configuration{
AccountsApprovalRequired: true,
AccountsReasonRequired: true,
AccountsAllowCustomCSS: true,
+ AccountsCustomCSSLength: 10000,
MediaImageMaxSize: 10485760, // 10mb
MediaVideoMaxSize: 41943040, // 40mb
