fix: enforce 65k character limit for setting values (#3162)

* Enforce 65k limit when attempting to store setting values.

* Add space for style.

* Move setting validation into Saving event listener.

* Use consistent var names

* remove extra space

* Move settings validation into separate class.

* Remove unused class.

* Remove extra line.

* Move ValidateCustomLess to SettingsServiceProvider.  Use existing convention for validator.

* Update src/Settings/SettingsValidator.php

Co-authored-by: Alexander Skvortsov <38059171+askvortsov1@users.noreply.github.com>

* Revert moving of ValidateCustomLess logic.  Allow for attribute specific setting validation rules.

* Style fixes.

* Style fixes.

* Style fixes.

Co-authored-by: Alexander Skvortsov <38059171+askvortsov1@users.noreply.github.com>

framework/core/src/Settings/SettingsServiceProvider.php

@@ -10,7 +10,9 @@
 namespace Flarum\Settings;
 
 use Flarum\Foundation\AbstractServiceProvider;
+use Flarum\Settings\Event\Saving;
 use Illuminate\Contracts\Container\Container;
+use Illuminate\Contracts\Events\Dispatcher;
 use Illuminate\Database\ConnectionInterface;
 use Illuminate\Support\Collection;
 
@@ -41,4 +43,14 @@ class SettingsServiceProvider extends AbstractServiceProvider
 
         $this->container->alias(SettingsRepositoryInterface::class, 'flarum.settings');
     }
+
+    public function boot(Dispatcher $events, SettingsValidator $settingsValidator)
+    {
+        $events->listen(
+            Saving::class,
+            function (Saving $event) use ($settingsValidator) {
+                $settingsValidator->assertValid($event->settings);
+            }
+        );
+    }
 }

framework/core/src/Settings/SettingsValidator.php

@@ -0,0 +1,61 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\Settings;
+
+use Flarum\Foundation\AbstractValidator;
+
+class SettingsValidator extends AbstractValidator
+{
+    /**
+     * @var array
+     */
+    protected $rules = [];
+
+    /**
+     * These rules apply to all attributes.
+     *
+     * Entries in the default DB settings table are limited to 65,000
+     * characters. We validate against this to avoid confusing errors.
+     *
+     * @var array
+     */
+    protected $globalRules = [
+        'max:65000',
+    ];
+
+    /**
+     * Make a new validator instance for this model.
+     *
+     * @param array $attributes
+     * @return \Illuminate\Validation\Validator
+     */
+    protected function makeValidator(array $attributes)
+    {
+        // Apply global rules first.
+        $rules = array_map(function () {
+            return $this->globalRules;
+        }, $attributes);
+
+        // Apply attribute specific rules.
+        foreach ($rules as $key => $value) {
+            if (array_key_exists($key, $this->rules)) {
+                $rules[$key] = array_merge($rules[$key], $this->rules[$key]);
+            }
+        }
+
+        $validator = $this->validator->make($attributes, $rules, $this->getMessages());
+
+        foreach ($this->configuration as $callable) {
+            $callable($this, $validator);
+        }
+
+        return $validator;
+    }
+}