Server: Decrease maximum email and full_name sizes (#10303)

packages/server/src/models/UserModel.test.ts

@@ -50,6 +50,19 @@ describe('UserModel', () => {
 		// check that the email is valid
 		error = await checkThrowAsync(async () => await models().user().save({ id: user1.id, email: 'ohno' }));
 		expect(error instanceof ErrorUnprocessableEntity).toBe(true);
+
+		// check that the email is not too long
+		error = await checkThrowAsync(async () => await models().user().save({ id: user1.id, email: `${'long'.repeat(100)}@example.com` }));
+		expect(error instanceof ErrorUnprocessableEntity).toBe(true);
+
+		// check that the full name is not too long
+		error = await checkThrowAsync(async () => await models().user().save({ id: user1.id, full_name: 'long'.repeat(400) }));
+		expect(error instanceof ErrorUnprocessableEntity).toBe(true);
+
+		// should not throw if updating with valid data
+		expect(
+			await checkThrowAsync(async () => await models().user().save({ id: user1.id, full_name: 'Example', email: 'new_email@example.com' })),
+		).toBe(null);
 	});
 
 	// test('should delete a user', async () => {

packages/server/src/models/UserModel.ts

@@ -298,9 +298,13 @@ export default class UserModel extends BaseModel<User> {
 		if ('email' in user) {
 			const existingUser = await this.loadByEmail(user.email);
 			if (existingUser && existingUser.id !== user.id) throw new ErrorUnprocessableEntity(`there is already a user with this email: ${user.email}`);
+			// See https://www.rfc-editor.org/errata_search.php?rfc=3696&eid=1690 (found via https://stackoverflow.com/a/574698)
+			if (user.email.length > 254) throw new ErrorUnprocessableEntity('Please enter an email address between 0 and 254 characters');
 			if (!this.validateEmail(user.email)) throw new ErrorUnprocessableEntity(`Invalid email: ${user.email}`);
 		}
 
+		if ('full_name' in user && user.full_name.length > 256) throw new ErrorUnprocessableEntity('Full name must be at most 256 characters');
+
 		return super.validate(user, options);
 	}