Show length error when Configs provided are too long (#1920)

* Show an error when a config is too long

CTFd/api/v1/config.py

@@ -89,6 +89,9 @@ class ConfigList(Resource):
         response = schema.load(req)
 
         if response.errors:
+            # Inject config key into error
+            config_key = response.data["key"]
+            response.errors["value"][0] = f"{config_key} config is too long"
             return {"success": False, "errors": response.errors}, 400
 
         db.session.add(response.data)
@@ -109,8 +112,15 @@ class ConfigList(Resource):
     )
     def patch(self):
         req = request.get_json()
+        schema = ConfigSchema()
 
         for key, value in req.items():
+            response = schema.load({"key": key, "value": value})
+            if response.errors:
+                # Inject config key into error
+                config_key = response.data["key"]
+                response.errors["value"][0] = f"{config_key} config is too long"
+                return {"success": False, "errors": response.errors}, 400
             set_config(key=key, value=value)
 
         clear_config()

CTFd/schemas/config.py

@@ -1,3 +1,6 @@
+from marshmallow import validate
+from marshmallow_sqlalchemy import field_for
+
 from CTFd.models import Configs, ma
 from CTFd.utils import string_types
 
@@ -9,6 +12,12 @@ class ConfigSchema(ma.ModelSchema):
         dump_only = ("id",)
 
     views = {"admin": ["id", "key", "value"]}
+    key = field_for(Configs, "key", required=True)
+    value = field_for(
+        Configs,
+        "value",
+        validate=[validate.Length(max=64000, error="Config is too long")],
+    )
 
     def __init__(self, view=None, *args, **kwargs):
         if view:

CTFd/themes/admin/assets/js/pages/configs.js

@@ -119,8 +119,17 @@ function updateConfigs(event) {
     }
   });
 
-  CTFd.api.patch_config_list({}, params).then(_response => {
+  CTFd.api.patch_config_list({}, params).then(function(_response) {
+    if (_response.success) {
       window.location.reload();
+    } else {
+      let errors = _response.errors.value.join("\n");
+      ezAlert({
+        title: "Error!",
+        body: errors,
+        button: "Okay"
+      });
+    }
   });
 }
 

tests/api/v1/test_config.py

@@ -103,3 +103,23 @@ def test_api_config_delete_admin():
             assert r.status_code == 200
             assert get_config("ctf_name") is None
     destroy_ctfd(app)
+
+
+def test_long_values():
+    """Can a config value that is bigger than 64,000 be accepted"""
+    app = create_ctfd()
+    with app.app_context():
+        with login_as_user(app, "admin") as admin:
+            long_text = "a" * 65000
+            r = admin.post(
+                "/api/v1/configs", json={"key": "ctf_footer", "value": long_text}
+            )
+            data = r.get_json()
+            assert data["errors"]["value"][0] == "ctf_footer config is too long"
+
+            r = admin.patch("/api/v1/configs", json={"ctf_theme": long_text})
+            data = r.get_json()
+            assert data["errors"]["value"][0] == "ctf_theme config is too long"
+            assert r.status_code == 400
+
+    destroy_ctfd(app)