From 2f25b48869f59256bf7d692c4486c64c30b85e5e Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Sun, 12 Jun 2022 18:29:12 +0200
Subject: [PATCH] feat: restrict max avatar size

resolves #1171
---
 config.yml.sample                |  3 +++
 docs/content/doc/setup/config.md | 12 ++++++++++++
 pkg/config/config.go             |  2 ++
 pkg/routes/api/v1/avatar.go      |  6 +++++-
 pkg/swagger/docs.go              |  2 +-
 pkg/swagger/swagger.json         |  2 +-
 pkg/swagger/swagger.yaml         |  3 ++-
 7 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/config.yml.sample b/config.yml.sample
index 0b368866b38..0df19d8fd61 100644
--- a/config.yml.sample
+++ b/config.yml.sample
@@ -56,6 +56,9 @@ service:
   # it may be required to coordinate with them in order to delete the account. This setting will not affect the cli commands
   # for user deletion.
   enableuserdeletion: true
+  # The maximum size clients will be able to request for user avatars.
+  # If clients request a size bigger than this, it will be changed on the fly.
+  maxavatarsize: 1024
 
 database:
   # Database type to use. Supported types are mysql, postgres and sqlite.
diff --git a/docs/content/doc/setup/config.md b/docs/content/doc/setup/config.md
index 2721d6e827f..5a9035379a5 100644
--- a/docs/content/doc/setup/config.md
+++ b/docs/content/doc/setup/config.md
@@ -321,6 +321,18 @@ Full path: `service.enableuserdeletion`
 Environment path: `VIKUNJA_SERVICE_ENABLEUSERDELETION`
 
 
+### maxavatarsize
+
+The maximum size clients will be able to request for user avatars.
+If clients request a size bigger than this, it will be changed on the fly.
+
+Default: `1024`
+
+Full path: `service.maxavatarsize`
+
+Environment path: `VIKUNJA_SERVICE_MAXAVATARSIZE`
+
+
 ---
 
 ## database
diff --git a/pkg/config/config.go b/pkg/config/config.go
index ff40e2cb45e..a8df08a5c4e 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -62,6 +62,7 @@ const (
 	ServiceTestingtoken          Key = `service.testingtoken`
 	ServiceEnableEmailReminders  Key = `service.enableemailreminders`
 	ServiceEnableUserDeletion    Key = `service.enableuserdeletion`
+	ServiceMaxAvatarSize         Key = `service.maxavatarsize`
 
 	AuthLocalEnabled      Key = `auth.local.enabled`
 	AuthOpenIDEnabled     Key = `auth.openid.enabled`
@@ -287,6 +288,7 @@ func InitDefaultConfig() {
 	ServiceEnableTotp.setDefault(true)
 	ServiceEnableEmailReminders.setDefault(true)
 	ServiceEnableUserDeletion.setDefault(true)
+	ServiceMaxAvatarSize.setDefault(1024)
 
 	// Auth
 	AuthLocalEnabled.setDefault(true)
diff --git a/pkg/routes/api/v1/avatar.go b/pkg/routes/api/v1/avatar.go
index 7b52254fcc3..2bf540ed17a 100644
--- a/pkg/routes/api/v1/avatar.go
+++ b/pkg/routes/api/v1/avatar.go
@@ -17,6 +17,7 @@
 package v1
 
 import (
+	"code.vikunja.io/api/pkg/config"
 	"code.vikunja.io/api/pkg/db"
 	"code.vikunja.io/api/pkg/files"
 	"code.vikunja.io/api/pkg/log"
@@ -49,7 +50,7 @@ import (
 // @tags user
 // @Produce octet-stream
 // @Param username path string true "The username of the user who's avatar you want to get"
-// @Param size query int false "The size of the avatar you want to get"
+// @Param size query int false "The size of the avatar you want to get. If bigger than the max configured size this will be adjusted to the maximum size."
 // @Success 200 {} blob "The avatar"
 // @Failure 404 {object} models.Message "The user does not exist."
 // @Failure 500 {object} models.Message "Internal error"
@@ -97,6 +98,9 @@ func GetAvatar(c echo.Context) error {
 			return handler.HandleHTTPError(err, c)
 		}
 	}
+	if sizeInt > config.ServiceMaxAvatarSize.GetInt64() {
+		sizeInt = config.ServiceMaxAvatarSize.GetInt64()
+	}
 
 	// Get the avatar
 	a, mimeType, err := avatarProvider.GetAvatar(u, sizeInt)
diff --git a/pkg/swagger/docs.go b/pkg/swagger/docs.go
index 1fbf19e5289..5e8c1494f25 100644
--- a/pkg/swagger/docs.go
+++ b/pkg/swagger/docs.go
@@ -7537,7 +7537,7 @@ const docTemplate = `{
                     },
                     {
                         "type": "integer",
-                        "description": "The size of the avatar you want to get",
+                        "description": "The size of the avatar you want to get. If bigger than the max configured size this will be adjusted to the maximum size.",
                         "name": "size",
                         "in": "query"
                     }
diff --git a/pkg/swagger/swagger.json b/pkg/swagger/swagger.json
index a2562926127..c4f342378d8 100644
--- a/pkg/swagger/swagger.json
+++ b/pkg/swagger/swagger.json
@@ -7528,7 +7528,7 @@
                     },
                     {
                         "type": "integer",
-                        "description": "The size of the avatar you want to get",
+                        "description": "The size of the avatar you want to get. If bigger than the max configured size this will be adjusted to the maximum size.",
                         "name": "size",
                         "in": "query"
                     }
diff --git a/pkg/swagger/swagger.yaml b/pkg/swagger/swagger.yaml
index 46d3f79937e..a8ec87d02e2 100644
--- a/pkg/swagger/swagger.yaml
+++ b/pkg/swagger/swagger.yaml
@@ -1433,7 +1433,8 @@ paths:
         name: username
         required: true
         type: string
-      - description: The size of the avatar you want to get
+      - description: The size of the avatar you want to get. If bigger than the max
+          configured size this will be adjusted to the maximum size.
         in: query
         name: size
         type: integer