feat: restrict max avatar size

resolves #1171
This commit is contained in:
kolaente 2022-06-12 18:29:12 +02:00
parent 172a6214d7
commit 2f25b48869
No known key found for this signature in database
GPG key ID: F40E70337AB24C9B
7 changed files with 26 additions and 4 deletions

View file

@ -56,6 +56,9 @@ service:
# it may be required to coordinate with them in order to delete the account. This setting will not affect the cli commands # it may be required to coordinate with them in order to delete the account. This setting will not affect the cli commands
# for user deletion. # for user deletion.
enableuserdeletion: true enableuserdeletion: true
# The maximum size clients will be able to request for user avatars.
# If clients request a size bigger than this, it will be changed on the fly.
maxavatarsize: 1024
database: database:
# Database type to use. Supported types are mysql, postgres and sqlite. # Database type to use. Supported types are mysql, postgres and sqlite.

View file

@ -321,6 +321,18 @@ Full path: `service.enableuserdeletion`
Environment path: `VIKUNJA_SERVICE_ENABLEUSERDELETION` Environment path: `VIKUNJA_SERVICE_ENABLEUSERDELETION`
### maxavatarsize
The maximum size clients will be able to request for user avatars.
If clients request a size bigger than this, it will be changed on the fly.
Default: `1024`
Full path: `service.maxavatarsize`
Environment path: `VIKUNJA_SERVICE_MAXAVATARSIZE`
--- ---
## database ## database

View file

@ -62,6 +62,7 @@ const (
ServiceTestingtoken Key = `service.testingtoken` ServiceTestingtoken Key = `service.testingtoken`
ServiceEnableEmailReminders Key = `service.enableemailreminders` ServiceEnableEmailReminders Key = `service.enableemailreminders`
ServiceEnableUserDeletion Key = `service.enableuserdeletion` ServiceEnableUserDeletion Key = `service.enableuserdeletion`
ServiceMaxAvatarSize Key = `service.maxavatarsize`
AuthLocalEnabled Key = `auth.local.enabled` AuthLocalEnabled Key = `auth.local.enabled`
AuthOpenIDEnabled Key = `auth.openid.enabled` AuthOpenIDEnabled Key = `auth.openid.enabled`
@ -287,6 +288,7 @@ func InitDefaultConfig() {
ServiceEnableTotp.setDefault(true) ServiceEnableTotp.setDefault(true)
ServiceEnableEmailReminders.setDefault(true) ServiceEnableEmailReminders.setDefault(true)
ServiceEnableUserDeletion.setDefault(true) ServiceEnableUserDeletion.setDefault(true)
ServiceMaxAvatarSize.setDefault(1024)
// Auth // Auth
AuthLocalEnabled.setDefault(true) AuthLocalEnabled.setDefault(true)

View file

@ -17,6 +17,7 @@
package v1 package v1
import ( import (
"code.vikunja.io/api/pkg/config"
"code.vikunja.io/api/pkg/db" "code.vikunja.io/api/pkg/db"
"code.vikunja.io/api/pkg/files" "code.vikunja.io/api/pkg/files"
"code.vikunja.io/api/pkg/log" "code.vikunja.io/api/pkg/log"
@ -49,7 +50,7 @@ import (
// @tags user // @tags user
// @Produce octet-stream // @Produce octet-stream
// @Param username path string true "The username of the user who's avatar you want to get" // @Param username path string true "The username of the user who's avatar you want to get"
// @Param size query int false "The size of the avatar you want to get" // @Param size query int false "The size of the avatar you want to get. If bigger than the max configured size this will be adjusted to the maximum size."
// @Success 200 {} blob "The avatar" // @Success 200 {} blob "The avatar"
// @Failure 404 {object} models.Message "The user does not exist." // @Failure 404 {object} models.Message "The user does not exist."
// @Failure 500 {object} models.Message "Internal error" // @Failure 500 {object} models.Message "Internal error"
@ -97,6 +98,9 @@ func GetAvatar(c echo.Context) error {
return handler.HandleHTTPError(err, c) return handler.HandleHTTPError(err, c)
} }
} }
if sizeInt > config.ServiceMaxAvatarSize.GetInt64() {
sizeInt = config.ServiceMaxAvatarSize.GetInt64()
}
// Get the avatar // Get the avatar
a, mimeType, err := avatarProvider.GetAvatar(u, sizeInt) a, mimeType, err := avatarProvider.GetAvatar(u, sizeInt)

View file

@ -7537,7 +7537,7 @@ const docTemplate = `{
}, },
{ {
"type": "integer", "type": "integer",
"description": "The size of the avatar you want to get", "description": "The size of the avatar you want to get. If bigger than the max configured size this will be adjusted to the maximum size.",
"name": "size", "name": "size",
"in": "query" "in": "query"
} }

View file

@ -7528,7 +7528,7 @@
}, },
{ {
"type": "integer", "type": "integer",
"description": "The size of the avatar you want to get", "description": "The size of the avatar you want to get. If bigger than the max configured size this will be adjusted to the maximum size.",
"name": "size", "name": "size",
"in": "query" "in": "query"
} }

View file

@ -1433,7 +1433,8 @@ paths:
name: username name: username
required: true required: true
type: string type: string
- description: The size of the avatar you want to get - description: The size of the avatar you want to get. If bigger than the max
configured size this will be adjusted to the maximum size.
in: query in: query
name: size name: size
type: integer type: integer