From aad044d479861695a86b15ed0d1d668d690ab673 Mon Sep 17 00:00:00 2001
From: Stas Vilchik <vilchiks@gmail.com>
Date: Thu, 11 Aug 2016 10:26:03 +0200
Subject: [PATCH] SONAR-7920 limit max length of link name and url

---
 .../server/projectlink/ws/CreateAction.java   | 15 +++++-
 .../projectlink/ws/CreateActionTest.java      | 46 ++++++++++++++++---
 .../links/views/CreationModalTemplate.hbs     |  4 +-
 3 files changed, 56 insertions(+), 9 deletions(-)

diff --git a/server/sonar-server/src/main/java/org/sonar/server/projectlink/ws/CreateAction.java b/server/sonar-server/src/main/java/org/sonar/server/projectlink/ws/CreateAction.java
index bdc7906209d..bc49aa36636 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/projectlink/ws/CreateAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/projectlink/ws/CreateAction.java
@@ -33,6 +33,7 @@ import org.sonarqube.ws.WsProjectLinks;
 import org.sonarqube.ws.WsProjectLinks.CreateWsResponse;
 import org.sonarqube.ws.client.projectlinks.CreateWsRequest;
 
+import static com.google.common.base.Preconditions.checkArgument;
 import static org.sonar.core.util.Slug.slugify;
 import static org.sonar.core.util.Uuids.UUID_EXAMPLE_01;
 import static org.sonar.server.ws.KeyExamples.KEY_PROJECT_EXAMPLE_001;
@@ -48,6 +49,10 @@ public class CreateAction implements ProjectLinksWsAction {
   private final UserSession userSession;
   private final ComponentFinder componentFinder;
 
+  private static final int LINK_NAME_MAX_LENGTH = 128;
+  private static final int LINK_URL_MAX_LENGTH = 2048;
+  private static final int LINK_TYPE_MAX_LENGTH = 20;
+
   public CreateAction(DbClient dbClient, UserSession userSession, ComponentFinder componentFinder) {
     this.dbClient = dbClient;
     this.userSession = userSession;
@@ -92,6 +97,8 @@ public class CreateAction implements ProjectLinksWsAction {
   }
 
   private CreateWsResponse doHandle(CreateWsRequest createWsRequest) {
+    validateRequest(createWsRequest);
+
     String name = createWsRequest.getName();
     String url = createWsRequest.getUrl();
 
@@ -140,7 +147,13 @@ public class CreateAction implements ProjectLinksWsAction {
       .setUrl(request.mandatoryParam(PARAM_URL));
   }
 
+  private static void validateRequest(CreateWsRequest request) {
+    checkArgument(request.getName().length() <= LINK_NAME_MAX_LENGTH, "Link name cannot be longer than %s characters", LINK_NAME_MAX_LENGTH);
+    checkArgument(request.getUrl().length() <= LINK_URL_MAX_LENGTH, "Link url cannot be longer than %s characters", LINK_URL_MAX_LENGTH);
+  }
+
   private static String nameToType(String name) {
-    return slugify(name);
+    String slugified = slugify(name);
+    return slugified.substring(0, Math.min(slugified.length(), LINK_TYPE_MAX_LENGTH));
   }
 }
diff --git a/server/sonar-server/src/test/java/org/sonar/server/projectlink/ws/CreateActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/projectlink/ws/CreateActionTest.java
index 14d88957dc2..350ddc9b26b 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/projectlink/ws/CreateActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/projectlink/ws/CreateActionTest.java
@@ -21,6 +21,7 @@ package org.sonar.server.projectlink.ws;
 
 import java.io.IOException;
 import java.io.InputStream;
+import org.apache.commons.lang.StringUtils;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
@@ -122,6 +123,15 @@ public class CreateActionTest {
     createAndTest();
   }
 
+  @Test
+  public void with_long_name() throws IOException {
+    insertProject();
+
+    String longName = StringUtils.leftPad("", 60, "a");
+    String expectedType = StringUtils.leftPad("", 20, "a");
+    createAndTest(longName, "http://example.org", expectedType);
+  }
+
   @Test
   public void fail_if_no_name() {
     expectedException.expect(IllegalArgumentException.class);
@@ -131,6 +141,16 @@ public class CreateActionTest {
       .execute();
   }
 
+  @Test
+  public void fail_if_long_name() {
+    expectedException.expect(IllegalArgumentException.class);
+    ws.newRequest()
+      .setParam(PARAM_PROJECT_KEY, "unknown")
+      .setParam(PARAM_NAME, StringUtils.leftPad("", 129, "*"))
+      .setParam(PARAM_URL, "http://example.org")
+      .execute();
+  }
+
   @Test
   public void fail_if_no_url() {
     expectedException.expect(IllegalArgumentException.class);
@@ -140,6 +160,16 @@ public class CreateActionTest {
       .execute();
   }
 
+  @Test
+  public void fail_if_long_url() {
+    expectedException.expect(IllegalArgumentException.class);
+    ws.newRequest()
+      .setParam(PARAM_PROJECT_KEY, "unknown")
+      .setParam(PARAM_NAME, "random")
+      .setParam(PARAM_URL, StringUtils.leftPad("", 2049, "*"))
+      .execute();
+  }
+
   @Test
   public void fail_when_no_project() {
     expectedException.expect(NotFoundException.class);
@@ -187,12 +217,12 @@ public class CreateActionTest {
     return project;
   }
 
-  private void createAndTest() throws IOException {
+  private void createAndTest(String name, String url, String type) throws IOException {
     InputStream responseStream = ws.newRequest()
       .setMethod("POST")
       .setParam(PARAM_PROJECT_KEY, PROJECT_KEY)
-      .setParam(PARAM_NAME, "Custom")
-      .setParam(PARAM_URL, "http://example.org")
+      .setParam(PARAM_NAME, name)
+      .setParam(PARAM_URL, url)
       .setMediaType(PROTOBUF)
       .execute().getInputStream();
 
@@ -201,8 +231,12 @@ public class CreateActionTest {
     long newId = Long.valueOf(response.getLink().getId());
 
     ComponentLinkDto link = dbClient.componentLinkDao().selectById(dbSession, newId);
-    assertThat(link.getName()).isEqualTo("Custom");
-    assertThat(link.getHref()).isEqualTo("http://example.org");
-    assertThat(link.getType()).isEqualTo("custom");
+    assertThat(link.getName()).isEqualTo(name);
+    assertThat(link.getHref()).isEqualTo(url);
+    assertThat(link.getType()).isEqualTo(type);
+  }
+
+  private void createAndTest() throws IOException {
+    createAndTest("Custom", "http://example.org", "custom");
   }
 }
diff --git a/server/sonar-web/src/main/js/apps/project-admin/links/views/CreationModalTemplate.hbs b/server/sonar-web/src/main/js/apps/project-admin/links/views/CreationModalTemplate.hbs
index 7405f30d1b4..6d7f25084b5 100644
--- a/server/sonar-web/src/main/js/apps/project-admin/links/views/CreationModalTemplate.hbs
+++ b/server/sonar-web/src/main/js/apps/project-admin/links/views/CreationModalTemplate.hbs
@@ -7,12 +7,12 @@
 
     <div class="modal-field">
       <label for="create-link-name">{{t 'project_links.name'}}<em class="mandatory">*</em></label>
-      <input id="create-link-name" name="name" type="text" required>
+      <input id="create-link-name" name="name" type="text" maxlength="128" required>
     </div>
 
     <div class="modal-field">
       <label for="create-link-url">{{t 'project_links.url'}}<em class="mandatory">*</em></label>
-      <input id="create-link-url" name="url" type="text" required>
+      <input id="create-link-url" name="url" type="text" maxlength="2048" required>
     </div>
   </div>
   <div class="modal-foot">
-- 
2.39.5