From f273ca8d136b1b52e99fffdd0f82f131dbcb139e Mon Sep 17 00:00:00 2001
From: Tobias Bieniek <tobias@bieniek.cloud>
Date: Tue, 28 May 2024 15:26:21 +0200
Subject: [PATCH] Introduce length limit on the `description` field

---
 src/controllers/krate/publish.rs      |  8 ++++++++
 src/tests/krate/publish/validation.rs | 16 +++++++++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/controllers/krate/publish.rs b/src/controllers/krate/publish.rs
index c7371355ccc..b42b974bd61 100644
--- a/src/controllers/krate/publish.rs
+++ b/src/controllers/krate/publish.rs
@@ -38,6 +38,8 @@ const MISSING_RIGHTS_ERROR_MESSAGE: &str = "this crate exists but you don't seem
      to accept an invitation to be an owner before \
      publishing.";
 
+const MAX_DESCRIPTION_LENGTH: usize = 1000;
+
 /// Handles the `PUT /crates/new` route.
 /// Used by `cargo publish` to publish a new crate or to publish a new version of an
 /// existing crate.
@@ -160,6 +162,12 @@ pub async fn publish(app: AppState, req: BytesRequest) -> AppResult<Json<GoodCra
             return Err(bad_request(&message));
         }
 
+        if let Some(description) = &description {
+            if description.len() > MAX_DESCRIPTION_LENGTH {
+                return Err(bad_request(format!("The `description` is too long. A maximum of {MAX_DESCRIPTION_LENGTH} characters are currently allowed.")));
+            }
+        }
+
         if let Some(ref license) = license {
             parse_license_expr(license).map_err(|e| bad_request(format_args!(
                 "unknown or invalid license expression; \
diff --git a/src/tests/krate/publish/validation.rs b/src/tests/krate/publish/validation.rs
index e2a8209cb4d..b3ddac33193 100644
--- a/src/tests/krate/publish/validation.rs
+++ b/src/tests/krate/publish/validation.rs
@@ -3,7 +3,7 @@ use crate::util::{RequestHelper, TestApp};
 use crates_io::models::krate::MAX_NAME_LENGTH;
 use googletest::prelude::*;
 use http::StatusCode;
-use insta::assert_json_snapshot;
+use insta::{assert_json_snapshot, assert_snapshot};
 
 #[tokio::test(flavor = "multi_thread")]
 async fn empty_json() {
@@ -89,6 +89,20 @@ async fn license_and_description_required() {
     assert_that!(app.stored_files().await, empty());
 }
 
+#[tokio::test(flavor = "multi_thread")]
+async fn long_description() {
+    let (app, _, _, token) = TestApp::full().with_token();
+
+    let description = "a".repeat(2000);
+    let crate_to_publish = PublishBuilder::new("foo_metadata", "1.1.0").description(&description);
+
+    let response = token.publish_crate(crate_to_publish).await;
+    assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+    assert_snapshot!(response.text(), @r###"{"errors":[{"detail":"The `description` is too long. A maximum of 1000 characters are currently allowed."}]}"###);
+
+    assert_that!(app.stored_files().await, empty());
+}
+
 #[tokio::test(flavor = "multi_thread")]
 async fn invalid_license() {
     let (app, _, _, token) = TestApp::full().with_token();