server: Add limit on the maximum cipher length

This limit will not allow sending cipher (after encryption) larger than the character limit (default limit is 10000)
LibrePass · Nov 19, 2023 · b5abd5a · b5abd5a
1 parent 383de81
commit b5abd5a
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 1 deletion.
diff --git a/.env.schema b/.env.schema
@@ -38,3 +38,6 @@ [email protected]
 
 # Uncomment the following line to not require email verification
 #EMAIL_VERIFICATION_REQUIRED=false
+
+# Uncomment the following line to set custom limit maximum length of encrypted cipher
+#CIPHER_MAX_LENGTH=10000
diff --git a/server/src/main/kotlin/dev/medzik/librepass/server/controllers/api/Cipher.kt b/server/src/main/kotlin/dev/medzik/librepass/server/controllers/api/Cipher.kt
@@ -13,6 +13,7 @@ import dev.medzik.librepass.types.api.CipherIdResponse
 import dev.medzik.librepass.types.api.SyncResponse
 import dev.medzik.librepass.types.cipher.EncryptedCipher
 import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.beans.factory.annotation.Value
 import org.springframework.http.*
 import org.springframework.web.bind.annotation.*
 import org.springframework.web.client.RestTemplate
@@ -23,7 +24,9 @@ import java.util.*
 class CipherController
     @Autowired
     constructor(
-        private val cipherRepository: CipherRepository
+        private val cipherRepository: CipherRepository,
+        @Value("\${cipher.max_length}")
+        private val cipherMaxLength: Int
     ) {
         @PutMapping
         fun insertCipher(
@@ -35,6 +38,9 @@ class CipherController
             )
                 return ResponseError.INVALID_BODY.toResponse()
 
+            if (encryptedCipher.protectedData.length > cipherMaxLength)
+                return ResponseError.CIPHER_TOO_LARGE.toResponse()
+
             val cipher = cipherRepository.save(CipherTable(encryptedCipher))
 
             return ResponseHandler.generateResponse(
@@ -106,6 +112,9 @@ class CipherController
             if (!checkIfCipherExistsAndOwnedBy(id, user.id))
                 return ResponseError.NOT_FOUND.toResponse()
 
+            if (encryptedCipher.protectedData.length > cipherMaxLength)
+                return ResponseError.CIPHER_TOO_LARGE.toResponse()
+
             cipherRepository.save(CipherTable(encryptedCipher))
 
             return ResponseHandler.generateResponse(CipherIdResponse(id), HttpStatus.OK)

diff --git a/server/src/main/resources/application.properties b/server/src/main/resources/application.properties
@@ -34,3 +34,7 @@ smtp.mail.address=${SMTP_EMAIL_ADDRESS}
 
 # Require email verification
 email.verification.required=${EMAIL_VERIFICATION_REQUIRED:true}
+
+# Limits
+# Maximum length of encrypted cipher
+cipher.max_length=${CIPHER_MAX_LENGTH:10000}
diff --git a/shared/src/main/kotlin/dev/medzik/librepass/responses/ResponseError.kt b/shared/src/main/kotlin/dev/medzik/librepass/responses/ResponseError.kt
@@ -9,6 +9,7 @@ enum class ResponseError(val statusCode: HttpStatus) {
     UNAUTHORIZED(HttpStatus.UNAUTHORIZED),
     NOT_FOUND(HttpStatus.NOT_FOUND),
     TOO_MANY_REQUESTS(HttpStatus.TOO_MANY_REQUESTS),
+    CIPHER_TOO_LARGE(HttpStatus.CONTENT_TOO_LARGE),
 
     // Database errors
     DATABASE_DUPLICATED_KEY(HttpStatus.CONFLICT),
@@ -22,6 +23,7 @@ enum class HttpStatus(val code: Int) {
     UNAUTHORIZED(401),
     NOT_FOUND(404),
     CONFLICT(409),
+    CONTENT_TOO_LARGE(413),
     TOO_MANY_REQUESTS(429),
     INTERNAL_SERVER_ERROR(500)
 }