feat: [CODE-2153]: add limits on PR text fields (#2412)

app/api/controller/pullreq/comment_create.go

@@ -17,6 +17,7 @@ package pullreq
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/harness/gitness/app/api/controller"
@@ -55,8 +56,12 @@ func (in *CommentCreateInput) IsCodeComment() bool {
 	return in.SourceCommitSHA != ""
 }
 
-func (in *CommentCreateInput) Validate() error {
-	// TODO: Validate Text size.
+func (in *CommentCreateInput) Sanitize() error {
+	in.Text = strings.TrimSpace(in.Text)
+
+	if err := validateComment(in.Text); err != nil {
+		return err
+	}
 
 	if in.SourceCommitSHA == "" && in.TargetCommitSHA == "" {
 		return nil // not a code comment
@@ -95,15 +100,15 @@ func (c *Controller) CommentCreate(
 	prNum int64,
 	in *CommentCreateInput,
 ) (*types.PullReqActivity, error) {
+	if err := in.Sanitize(); err != nil {
+		return nil, err
+	}
+
 	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoView)
 	if err != nil {
 		return nil, fmt.Errorf("failed to acquire access to repo: %w", err)
 	}
 
-	if errValidate := in.Validate(); errValidate != nil {
-		return nil, errValidate
-	}
-
 	var pr *types.PullReq
 
 	pr, err = c.pullreqStore.FindByNumber(ctx, repo.ID, prNum)

app/api/controller/pullreq/comment_update.go

@@ -17,6 +17,7 @@ package pullreq
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/harness/gitness/app/auth"
@@ -30,8 +31,13 @@ type CommentUpdateInput struct {
 	Text string `json:"text"`
 }
 
-func (in *CommentUpdateInput) Validate() error {
-	// TODO: Check Text length
+func (in *CommentUpdateInput) Sanitize() error {
+	in.Text = strings.TrimSpace(in.Text)
+
+	if err := validateComment(in.Text); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -48,6 +54,10 @@ func (c *Controller) CommentUpdate(
 	commentID int64,
 	in *CommentUpdateInput,
 ) (*types.PullReqActivity, error) {
+	if err := in.Sanitize(); err != nil {
+		return nil, err
+	}
+
 	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoView)
 	if err != nil {
 		return nil, fmt.Errorf("failed to acquire access to repo: %w", err)
@@ -58,10 +68,6 @@ func (c *Controller) CommentUpdate(
 		return nil, fmt.Errorf("failed to find pull request by number: %w", err)
 	}
 
-	if errValidate := in.Validate(); errValidate != nil {
-		return nil, errValidate
-	}
-
 	act, err := c.getCommentCheckEditAccess(ctx, session, pr, commentID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get comment: %w", err)

app/api/controller/pullreq/controller.go

@@ -17,6 +17,7 @@ package pullreq
 import (
 	"context"
 	"fmt"
+	"unicode/utf8"
 
 	apiauth "github.com/harness/gitness/app/api/auth"
 	"github.com/harness/gitness/app/api/usererror"
@@ -283,3 +284,34 @@ func eventBase(pr *types.PullReq, principal *types.Principal) pullreqevents.Base
 		PrincipalID:  principal.ID,
 	}
 }
+
+func validateTitle(title string) error {
+	if title == "" {
+		return usererror.BadRequest("pull request title can't be empty")
+	}
+
+	const maxLen = 256
+	if utf8.RuneCountInString(title) > maxLen {
+		return usererror.BadRequestf("pull request title is too long (maximum is %d characters)", maxLen)
+	}
+
+	return nil
+}
+
+func validateDescription(desc string) error {
+	const maxLen = 64 << 10 // 64K
+	if len(desc) > maxLen {
+		return usererror.BadRequest("pull request description is too long")
+	}
+
+	return nil
+}
+
+func validateComment(desc string) error {
+	const maxLen = 16 << 10 // 16K
+	if len(desc) > maxLen {
+		return usererror.BadRequest("pull request comment is too long")
+	}
+
+	return nil
+}

app/api/controller/pullreq/pr_create.go

@@ -42,6 +42,21 @@ type CreateInput struct {
 	TargetBranch  string `json:"target_branch"`
 }
 
+func (in *CreateInput) Sanitize() error {
+	in.Title = strings.TrimSpace(in.Title)
+	in.Description = strings.TrimSpace(in.Description)
+
+	if err := validateTitle(in.Title); err != nil {
+		return err
+	}
+
+	if err := validateDescription(in.Description); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // Create creates a new pull request.
 func (c *Controller) Create(
 	ctx context.Context,
@@ -49,9 +64,8 @@ func (c *Controller) Create(
 	repoRef string,
 	in *CreateInput,
 ) (*types.PullReq, error) {
-	in.Title = strings.TrimSpace(in.Title)
-	if in.Title == "" {
-		return nil, usererror.BadRequest("pull request title can't be empty")
+	if err := in.Sanitize(); err != nil {
+		return nil, err
 	}
 
 	targetRepo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoPush)

app/api/controller/pullreq/pr_update.go

@@ -21,7 +21,6 @@ import (
 	"time"
 
 	apiauth "github.com/harness/gitness/app/api/auth"
-	"github.com/harness/gitness/app/api/usererror"
 	"github.com/harness/gitness/app/auth"
 	pullreqevents "github.com/harness/gitness/app/events/pullreq"
 	"github.com/harness/gitness/types"
@@ -35,15 +34,17 @@ type UpdateInput struct {
 	Description string `json:"description"`
 }
 
-func (in *UpdateInput) Check() error {
+func (in *UpdateInput) Sanitize() error {
 	in.Title = strings.TrimSpace(in.Title)
-	if in.Title == "" {
-		return usererror.BadRequest("pull request title can't be empty")
-	}
-
 	in.Description = strings.TrimSpace(in.Description)
 
-	// TODO: Check the length of the input strings
+	if err := validateTitle(in.Title); err != nil {
+		return err
+	}
+
+	if err := validateDescription(in.Description); err != nil {
+		return err
+	}
 
 	return nil
 }
@@ -52,7 +53,7 @@ func (in *UpdateInput) Check() error {
 func (c *Controller) Update(ctx context.Context,
 	session *auth.Session, repoRef string, pullreqNum int64, in *UpdateInput,
 ) (*types.PullReq, error) {
-	if err := in.Check(); err != nil {
+	if err := in.Sanitize(); err != nil {
 		return nil, err
 	}