stalwartlabs/mail-server
1
1
Fork 0
mirror of https://github.com/stalwartlabs/mail-server.git synced 2025-09-06 03:54:22 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions

Limit principal object size

Browse source
This commit is contained in:
mdecimus 2025-08-08 17:07:35 +02:00
parent f9f5fa4463
commit 98dce5d9ea
2 changed files with 39 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
crates/directory/src/backend/internal/manage.rs
View file

@ -553,6 +553,14 @@ impl ManageDirectory for Store {
let pinfo_name = PrincipalInfo::new(principal_id, principal_create.typ, tenant_id); let pinfo_name = PrincipalInfo::new(principal_id, principal_create.typ, tenant_id);
let pinfo_email = PrincipalInfo::new(principal_id, principal_create.typ, None); let pinfo_email = PrincipalInfo::new(principal_id, principal_create.typ, None);
// Validate object size
if principal_create.object_size() > 100_000 {
return Err(error(
"Invalid parameter",
"Principal object size exceeds 100kb safety limit.".into(),
));
}
// Serialize // Serialize
let archiver = Archiver::new(principal_create); let archiver = Archiver::new(principal_create);
let principal_bytes = archiver.serialize().caused_by(trc::location!())?; let principal_bytes = archiver.serialize().caused_by(trc::location!())?;
@ -1902,6 +1910,14 @@ impl ManageDirectory for Store {
} }
} }
// Validate object size
if principal.object_size() > 100_000 {
return Err(error(
"Invalid parameter",
"Principal object size exceeds 100kb safety limit.".into(),
));
}
if update_principal { if update_principal {
build_search_index( build_search_index(
&mut batch, &mut batch,

24
crates/directory/src/core/principal.rs
View file

@ -18,7 +18,7 @@ use serde::{
}; };
use std::{collections::hash_map::Entry, fmt, str::FromStr}; use std::{collections::hash_map::Entry, fmt, str::FromStr};
use store::{ use store::{
U64_LEN, U32_LEN, U64_LEN,
backend::MAX_TOKEN_LENGTH, backend::MAX_TOKEN_LENGTH,
write::{BatchBuilder, DirectoryClass}, write::{BatchBuilder, DirectoryClass},
}; };
@ -310,6 +310,28 @@ impl Principal {
updates updates
} }
pub fn object_size(&self) -> usize {
self.name.len()
+ self.description.as_ref().map_or(0, |d| d.len())
+ self.secrets.iter().map(|s| s.len()).sum::<usize>()
+ self.emails.iter().map(|e| e.len()).sum::<usize>()
+ self
.data
.iter()
.map(|d| match d {
PrincipalData::MemberOf(items)
| PrincipalData::Roles(items)
| PrincipalData::Lists(items) => items.len() * U32_LEN,
PrincipalData::Permissions(items) => items.len() * U32_LEN,
PrincipalData::ExternalMembers(items) | PrincipalData::Urls(items) => {
items.iter().map(|s| s.len()).sum::<usize>()
}
PrincipalData::PrincipalQuota(items) => items.len() * U32_LEN,
PrincipalData::Picture(value) | PrincipalData::Locale(value) => value.len(),
})
.sum::<usize>()
}
pub fn fallback_admin(fallback_pass: impl Into<String>) -> Self { pub fn fallback_admin(fallback_pass: impl Into<String>) -> Self {
Principal { Principal {
id: FALLBACK_ADMIN_ID, id: FALLBACK_ADMIN_ID,