Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
package com.example.RealMatch.user.presentation.dto.request;

import jakarta.validation.constraints.Size;
import lombok.Getter;
import lombok.NoArgsConstructor;

Expand All @@ -9,6 +8,5 @@
public class MyProfileCardUpdateRequestDto {

@jakarta.validation.constraints.NotBlank
@Size(max = 255)
private String profileImageUrl;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The @Size(max = 255) validation on the profileImageUrl field has been removed. While the goal was to accommodate longer URLs, removing the length validation entirely creates several risks. An excessively long string could lead to DataTruncationException if the corresponding database column has a size limit, potentially causing 500 errors and a Denial of Service. Furthermore, a malicious user could submit an extremely long string to exploit this. There is also no validation to ensure the provided string is a valid URL, which could lead to stored Cross-Site Scripting (XSS) if the profileImageUrl is rendered without proper sanitization on the client-side. To mitigate these issues, it's crucial to reintroduce a more generous length limit (e.g., @Size(max = 2048)) and add URL format validation (@URL).

    @jakarta.validation.constraints.NotBlank
    @org.hibernate.validator.constraints.URL
    @jakarta.validation.constraints.Size(max = 2048)
    private String profileImageUrl;

}
Loading