From 204404bd8d46b072f2942c2c18b01cde4c2cb4cf Mon Sep 17 00:00:00 2001
From: Ske <voltasalt@gmail.com>
Date: Wed, 10 Jul 2019 00:21:00 +0200
Subject: [PATCH] Bounds check system details

---
 PluralKit.API/Controllers/SystemController.cs | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/PluralKit.API/Controllers/SystemController.cs b/PluralKit.API/Controllers/SystemController.cs
index 3cedf147..cfa36303 100644
--- a/PluralKit.API/Controllers/SystemController.cs
+++ b/PluralKit.API/Controllers/SystemController.cs
@@ -7,6 +7,7 @@ using Dapper;
 using Microsoft.AspNetCore.Mvc;
 using Newtonsoft.Json;
 using NodaTime;
+using PluralKit.Core;
 
 namespace PluralKit.API.Controllers
 {
@@ -104,6 +105,14 @@ namespace PluralKit.API.Controllers
         {
             var system = _auth.CurrentSystem;
             
+            // Bounds checks
+            if (newSystem.Name.Length > Limits.MaxSystemNameLength)
+                return BadRequest($"System name too long ({newSystem.Name.Length} > {Limits.MaxSystemNameLength}.");
+            if (newSystem.Tag.Length > Limits.MaxSystemTagLength)
+                return BadRequest($"System tag too long ({newSystem.Tag.Length} > {Limits.MaxSystemTagLength}.");
+            if (newSystem.Description.Length > Limits.MaxDescriptionLength)
+                return BadRequest($"System description too long ({newSystem.Description.Length} > {Limits.MaxDescriptionLength}.");
+
             system.Name = newSystem.Name;
             system.Description = newSystem.Description;
             system.Tag = newSystem.Tag;