0008999: Set limits to all variable size user inputs

ID	Project	Category	View Status	Date Submitted	Last Update

0008999	Taler	libeufin-bank	public	2024-07-01 11:35	2025-05-21 17:51

Reporter	Antoine A	Assigned To	Antoine A
Priority	normal	Severity	feature	Reproducibility	have not tried
Status	resolved	Resolution	fixed
Target Version	1.0 stretch goals

Summary	0008999: Set limits to all variable size user inputs
Description	Currently, all strings in all APIs are unsized and libeufin-bank accepts strings of any size. As libeufin-bank uses a very restrictive maximum size (4kB) on all decompressed bodies, this is not a serious security issue. However, it would be healthier to set reasonable limits on all variable-length entries such as wire transfer's subject, bearer token's description, account's name, account's username and so on. Do we want to put those limits inside the API specification, if not how can we communicate those limits to clients?
Tags	security

Christian Grothoff 2025-04-17 22:24 manager ~0024597	I think it is fine to put them into the API specification.

Antoine A 2025-05-21 17:51 developer ~0024958	As we already have a very restrictive body limit, it only makes sense to limit the size of user input that ends up in URLs and that is only the case for the account username. FIxed in 112e39a988b663a56d13f63d4c6d60ed53b22264

Date Modified	Username	Field	Change
2024-07-01 11:35	Antoine A	New Issue
2024-07-01 11:35	Antoine A	Status	new => assigned
2024-07-01 11:35	Antoine A	Assigned To	=> Antoine A
2024-07-25 23:59	Christian Grothoff	Target Version	1.0 => post-1.0
2024-07-28 21:49	Christian Grothoff	Severity	minor => feature
2024-12-07 23:15	Christian Grothoff	Target Version	post-1.0 => 1.0 stretch goals
2025-04-17 22:24	Christian Grothoff	Tag Attached: security
2025-04-17 22:24	Christian Grothoff	Note Added: 0024597
2025-05-21 17:51	Antoine A	Status	assigned => resolved
2025-05-21 17:51	Antoine A	Resolution	open => fixed
2025-05-21 17:51	Antoine A	Note Added: 0024958