From f327c0da24eb8427532aafaa6a263166b2af9ab9 Mon Sep 17 00:00:00 2001
From: erik <erik.seiert@meissa-gmbh.de>
Date: Thu, 21 Mar 2024 12:18:29 +0100
Subject: [PATCH] Cap max size of federated repo list at 2048 bytes

---
 modules/validation/helpers.go       | 4 ++++
 routers/web/repo/setting/setting.go | 7 ++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/modules/validation/helpers.go b/modules/validation/helpers.go
index 677c2f3b9d..6069714410 100644
--- a/modules/validation/helpers.go
+++ b/modules/validation/helpers.go
@@ -157,6 +157,10 @@ func IsValidFederatedRepoURLList(urls string) bool {
 	return true
 }
 
+func IsOfValidLength(str string) bool {
+	return len(str) <= 2048
+}
+
 var (
 	validUsernamePatternWithDots    = regexp.MustCompile(`^[\da-zA-Z][-.\w]*$`)
 	validUsernamePatternWithoutDots = regexp.MustCompile(`^[\da-zA-Z][-\w]*$`)
diff --git a/routers/web/repo/setting/setting.go b/routers/web/repo/setting/setting.go
index 6d8e0b7ead..6df98fb47a 100644
--- a/routers/web/repo/setting/setting.go
+++ b/routers/web/repo/setting/setting.go
@@ -197,6 +197,11 @@ func SettingsPost(ctx *context.Context) {
 		case form.FederationRepos == "":
 			repo.FederationRepos = ""
 		// Validate
+		case !validation.IsOfValidLength(form.FederationRepos): // ToDo: Use for public testing only. In production we might need longer strings.
+			ctx.Data["ERR_FederationRepos"] = true
+			ctx.Flash.Error("The given string was larger than 2048 bytes")
+			ctx.Redirect(repo.Link() + "/settings")
+			return
 		case validation.IsValidFederatedRepoURL(form.FederationRepos):
 			repo.FederationRepos = form.FederationRepos
 		default:
@@ -205,7 +210,7 @@ func SettingsPost(ctx *context.Context) {
 			ctx.Redirect(repo.Link() + "/settings")
 			return
 		}
-		// ToDo: Validate for max length before committing to db
+
 		if err := repo_service.UpdateRepository(ctx, repo, false); err != nil {
 			ctx.ServerError("UpdateRepository", err)
 			return