fix(account): security fix

polonel · May 14, 2022 · 87e231e · 87e231e
1 parent 4575ed7
commit 87e231e
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/src/helpers/utils/index.js b/src/helpers/utils/index.js
@@ -17,6 +17,13 @@ const xss = require('xss')
 const fs = require('fs')
 const piexifjs = require('piexifjs')
 
+const MAX_FIELD_TEXT_LENGTH = 255
+const MAX_SHORT_FIELD_TEXT_LENGTH = 25
+
+module.exports.applyMaxShortTextLength = function (text) {
+  return text.toString().substring(0, MAX_SHORT_FIELD_TEXT_LENGTH)
+}
+
 module.exports.sanitizeFieldPlainText = function (text) {
   return xss(text, {
     whileList: {},

diff --git a/src/models/user.js b/src/models/user.js
@@ -90,11 +90,11 @@ userSchema.pre('findOne', autoPopulateRole).pre('find', autoPopulateRole)
 userSchema.pre('save', function (next) {
   var user = this
 
-  user.username = utils.sanitizeFieldPlainText(user.username.toLowerCase().trim())
+  user.username = utils.applyMaxShortTextLength(utils.sanitizeFieldPlainText(user.username.toLowerCase().trim()))
   user.email = utils.sanitizeFieldPlainText(user.email.trim())
 
-  if (user.fullname) user.fullname = utils.sanitizeFieldPlainText(user.fullname.trim())
-  if (user.title) user.title = utils.sanitizeFieldPlainText(user.title.trim())
+  if (user.fullname) user.fullname = utils.applyMaxShortTextLength(utils.sanitizeFieldPlainText(user.fullname.trim()))
+  if (user.title) user.title = utils.applyMaxShortTextLength(utils.sanitizeFieldPlainText(user.title.trim()))
 
   if (!user.isModified('password')) {
     return next()