From 1623e09225a1136b50de4cdebb79e69c399b0a55 Mon Sep 17 00:00:00 2001
From: Knut Ahlers <knut@ahlers.me>
Date: Sat, 21 Oct 2023 19:35:57 +0200
Subject: [PATCH] Add server side check for maximum secret size

closes #138

Signed-off-by: Knut Ahlers <knut@ahlers.me>
---
 api.go                         | 5 +++++
 pkg/customization/customize.go | 1 +
 2 files changed, 6 insertions(+)

diff --git a/api.go b/api.go
index 09e91c9..4c7a610 100644
--- a/api.go
+++ b/api.go
@@ -70,6 +70,11 @@ func (a apiServer) handleCreate(res http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if cust.MaxSecretSize > 0 && len(secret) > int(cust.MaxSecretSize) {
+		a.errorResponse(res, http.StatusBadRequest, errors.New("secret size exceeds maximum"), "")
+		return
+	}
+
 	id, err := a.store.Create(secret, time.Duration(expiry)*time.Second)
 	if err != nil {
 		a.errorResponse(res, http.StatusInternalServerError, err, "creating secret")
diff --git a/pkg/customization/customize.go b/pkg/customization/customize.go
index ecce967..1069b85 100644
--- a/pkg/customization/customize.go
+++ b/pkg/customization/customize.go
@@ -29,6 +29,7 @@ type (
 		DisableFileAttachment  bool   `json:"disableFileAttachment" yaml:"disableFileAttachment"`
 		MaxAttachmentSizeTotal int64  `json:"maxAttachmentSizeTotal" yaml:"maxAttachmentSizeTotal"`
 
+		MaxSecretSize     int64  `json:"-" yaml:"maxSecretSize"`
 		OverlayFSPath     string `json:"-" yaml:"overlayFSPath"`
 		UseFormalLanguage bool   `json:"-" yaml:"useFormalLanguage"`
 	}