pinakes-server: cap batch_enrich size; reject path traversal in library roots

Signed-off-by: NotAShelf <raf@notashelf.dev> Change-Id: I42212cdd385921295484d5c1f5fbfeab6a6a6964
2026-03-12 20:46:20 +03:00 · 2026-03-12 20:46:20 +03:00 · 18fda530f2
commit 18fda530f2
parent c16fcb4a9b
3 changed files with 49 additions and 0 deletions
--- a/crates/pinakes-server/src/routes/social.rs
+++ b/crates/pinakes-server/src/routes/social.rs
@ -40,6 +40,17 @@ pub async fn rate_media(
      ),
    ));
  }
+  if req
+    .review_text
+    .as_ref()
+    .is_some_and(|t| t.chars().count() > 10_000)
+  {
+    return Err(ApiError(
+      pinakes_core::error::PinakesError::InvalidOperation(
+        "review_text must not exceed 10000 characters".into(),
+      ),
+    ));
+  }
  let user_id = resolve_user_id(&state.storage, &username).await?;
  let rating = state
    .storage
@ -139,6 +150,13 @@ pub async fn create_share_link(
  Extension(username): Extension<String>,
  Json(req): Json<CreateShareLinkRequest>,
 ) -> Result<Json<ShareLinkResponse>, ApiError> {
+  if req.password.as_ref().is_some_and(|p| p.len() > 1024) {
+    return Err(ApiError(
+      pinakes_core::error::PinakesError::InvalidOperation(
+        "password must not exceed 1024 bytes".into(),
+      ),
+    ));
+  }
  let user_id = resolve_user_id(&state.storage, &username).await?;
  let token = uuid::Uuid::now_v7().to_string().replace('-', "");
  let password_hash = match req.password.as_ref() {
@ -178,6 +196,13 @@ pub async fn access_shared_media(
  Path(token): Path<String>,
  Query(query): Query<ShareLinkQuery>,
 ) -> Result<Json<MediaResponse>, ApiError> {
+  if query.password.as_ref().is_some_and(|p| p.len() > 1024) {
+    return Err(ApiError(
+      pinakes_core::error::PinakesError::InvalidOperation(
+        "password must not exceed 1024 bytes".into(),
+      ),
+    ));
+  }
  let link = state.storage.get_share_link(&token).await?;
  // Check expiration
  if let Some(expires) = link.expires_at