From 5ae31026f8fa638f271ba008ae7e84bcc8215d9a Mon Sep 17 00:00:00 2001
From: Øyvind Grønnesby <oyving@yahooinc.com>
Date: Tue, 7 Mar 2023 11:44:24 +0100
Subject: Limit length on input

---
 .../controller/restapi/application/ApplicationApiHandler.java     | 4 +++-
 .../controller/restapi/application/ApplicationApiCloudTest.java   | 8 ++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

(limited to 'controller-server')

diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java
index 616df377cc4..f2390bd4e83 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java
@@ -758,7 +758,9 @@ public class ApplicationApiHandler extends AuditLoggingRequestHandler {
     }
 
     private String getString(Inspector field, String defaultVale) {
-        return field.valid() ? field.asString().trim() : defaultVale;
+        var string = field.valid() ? field.asString().trim() : defaultVale;
+        if (string.length() > 512) throw new IllegalArgumentException("Input value too long");
+        return string;
     }
 
     private SlimeJsonResponse updateTenantInfo(CloudTenant tenant, HttpRequest request) {
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java
index 41622e669e6..6012b491fe7 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java
@@ -80,6 +80,14 @@ public class ApplicationApiCloudTest extends ControllerContainerCloudTest {
         tester.assertResponse(request, "{\"contact\":{\"name\":\"Some Name\",\"email\":\"foo@example.com\",\"emailVerified\":false},\"tenant\":{\"company\":\"Scoober, Inc.\",\"website\":\"https://example.com/\"}}", 200);
     }
 
+    @Test
+    void tenant_info_profile_too_long() {
+        var request = request("/application/v4/tenant/scoober/info/profile", PUT)
+                .data("{\"contact\":{\"name\":\"" + "a".repeat(513) + "\",\"email\":\"foo@example.com\"},\"tenant\":{\"company\":\"Scoober, Inc.\",\"website\":\"https://example.com/\"}}")
+                .roles(Set.of(Role.administrator(tenantName)));
+        tester.assertResponse(request, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"Input value too long\"}", 400);
+    }
+
     @Test
     void tenant_info_billing() {
         var request = request("/application/v4/tenant/scoober/info/billing", GET)
-- 
cgit v1.2.3