Add length limits for description and data

Author: LaoQi

models/actions/variable.go

@@ -6,6 +6,7 @@ package actions
 import (
 	"context"
 	"strings"
+	"unicode/utf8"
 
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/log"
@@ -37,6 +38,11 @@ type ActionVariable struct {
 	UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
 }
 
+const (
+	VariableDataMaxLength        = 65536
+	VariableDescriptionMaxLength = 4096
+)
+
 func init() {
 	db.RegisterModel(new(ActionVariable))
 }
@@ -48,6 +54,14 @@ func InsertVariable(ctx context.Context, ownerID, repoID int64, name, data, desc
 		ownerID = 0
 	}
 
+	if utf8.RuneCountInString(data) > VariableDataMaxLength {
+		data = string([]rune(data)[:VariableDataMaxLength])
+	}
+
+	if utf8.RuneCountInString(description) > VariableDescriptionMaxLength {
+		description = string([]rune(description)[:VariableDescriptionMaxLength])
+	}
+
 	variable := &ActionVariable{
 		OwnerID:     ownerID,
 		RepoID:      repoID,

models/secret/secret.go

@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 	"strings"
+	"unicode/utf8"
 
 	actions_model "code.gitea.io/gitea/models/actions"
 	"code.gitea.io/gitea/models/db"
@@ -44,6 +45,11 @@ type Secret struct {
 	CreatedUnix timeutil.TimeStamp `xorm:"created NOT NULL"`
 }
 
+const (
+	SecretDataMaxLength        = 65536
+	SecretDescriptionMaxLength = 4096
+)
+
 // ErrSecretNotFound represents a "secret not found" error.
 type ErrSecretNotFound struct {
 	Name string
@@ -68,10 +74,19 @@ func InsertEncryptedSecret(ctx context.Context, ownerID, repoID int64, name, dat
 		return nil, fmt.Errorf("%w: ownerID and repoID cannot be both zero, global secrets are not supported", util.ErrInvalidArgument)
 	}
 
+	if len(data) > SecretDataMaxLength {
+		data = data[:SecretDataMaxLength]
+	}
+
+	if utf8.RuneCountInString(description) > SecretDescriptionMaxLength {
+		description = string([]rune(description)[:SecretDescriptionMaxLength])
+	}
+
 	encrypted, err := secret_module.EncryptSecret(setting.SecretKey, data)
 	if err != nil {
 		return nil, err
 	}
+
 	secret := &Secret{
 		OwnerID:     ownerID,
 		RepoID:      repoID,

routers/web/shared/actions/variables.go

@@ -23,6 +23,8 @@ func SetVariablesContext(ctx *context.Context, ownerID, repoID int64) {
 		return
 	}
 	ctx.Data["Variables"] = variables
+	ctx.Data["DataMaxLength"] = actions_model.VariableDataMaxLength
+	ctx.Data["DescriptionMaxLength"] = actions_model.VariableDescriptionMaxLength
 }
 
 func CreateVariable(ctx *context.Context, ownerID, repoID int64, redirectURL string) {

routers/web/shared/secrets/secrets.go

@@ -22,6 +22,8 @@ func SetSecretsContext(ctx *context.Context, ownerID, repoID int64) {
 	}
 
 	ctx.Data["Secrets"] = secrets
+	ctx.Data["DataMaxLength"] = secret_model.SecretDataMaxLength
+	ctx.Data["DescriptionMaxLength"] = secret_model.SecretDescriptionMaxLength
 }
 
 func PerformSecretsPost(ctx *context.Context, ownerID, repoID int64, redirectURL string) {

templates/shared/secrets/add_list.tmpl

@@ -65,7 +65,6 @@
 				<input autofocus required
 					id="secret-name"
 					name="name"
-					value="{{.name}}"
 					pattern="^(?!GITEA_|GITHUB_)[a-zA-Z_][a-zA-Z0-9_]*$"
 					placeholder="{{ctx.Locale.Tr "secrets.creation.name_placeholder"}}"
 				>
@@ -75,7 +74,7 @@
 				<input
 					id="secret-description"
 					name="description"
-					value="{{.description}}"
+					maxlength="{{.DescriptionMaxLength}}"
 					placeholder="{{ctx.Locale.Tr "secrets.creation.description_placeholder"}}"
 				>
 			</div>
@@ -84,6 +83,7 @@
 				<textarea required
 					id="secret-data"
 					name="data"
+					maxlength="{{.DataMaxLength}}"
 					placeholder="{{ctx.Locale.Tr "secrets.creation.value_placeholder"}}"
 				></textarea>
 			</div>

templates/shared/variables/variable_list.tmpl

@@ -7,6 +7,7 @@
 			data-modal-header="{{ctx.Locale.Tr "actions.variables.creation"}}"
 			data-modal-dialog-variable-name=""
 			data-modal-dialog-variable-data=""
+			data-modal-dialog-variable-description=""
 		>
 			{{ctx.Locale.Tr "actions.variables.creation"}}
 		</button>
@@ -76,7 +77,6 @@
 				<input autofocus required
 					name="name"
 					id="dialog-variable-name"
-					value="{{.name}}"
 					pattern="^(?!GITEA_|GITHUB_)[a-zA-Z_][a-zA-Z0-9_]*$"
 					placeholder="{{ctx.Locale.Tr "secrets.creation.name_placeholder"}}"
 				>
@@ -86,7 +86,7 @@
 				<input
 					name="description"
 					id="dialog-variable-description"
-					value="{{.description}}"
+					maxlength="{{.DescriptionMaxLength}}"
 					placeholder="{{ctx.Locale.Tr "secrets.creation.description_placeholder"}}"
 				>
 			</div>
@@ -95,6 +95,7 @@
 				<textarea required
 					name="data"
 					id="dialog-variable-data"
+					maxlength="{{.DataMaxLength}}"
 					placeholder="{{ctx.Locale.Tr "secrets.creation.value_placeholder"}}"
 				></textarea>
 			</div>