Add validation in send_bloom endpoint to reject blooms exceeding 280 chars

Author: RahwaZeslusHaile

backend/data/users.py

@@ -1,10 +1,17 @@
 from dataclasses import dataclass
-from hashlib import scrypt
 import hashlib
 import random
 import string
 from typing import List, Optional
 
+try:
+    from hashlib import scrypt as _scrypt_impl
+    USE_HASHLIB_SCRYPT = True
+except ImportError:
+    # Python 3.9 doesn't have scrypt in hashlib, use the scrypt package
+    import scrypt as _scrypt_module
+    USE_HASHLIB_SCRYPT = False
+
 from data.connection import db_cursor
 from psycopg2.errors import UniqueViolation
 
@@ -91,7 +98,12 @@ def register_user(username: str, password_plaintext: str) -> User:
 
 
 def scrypt(password_plaintext: bytes, password_salt: bytes) -> bytes:
-    return hashlib.scrypt(password_plaintext, salt=password_salt, n=8, r=8, p=1)
+    if USE_HASHLIB_SCRYPT:
+        # Python 3.11+ hashlib.scrypt
+        return _scrypt_impl(password_plaintext, salt=password_salt, n=8, r=8, p=1)
+    else:
+        # Python 3.9 scrypt package
+        return _scrypt_module.hash(password_plaintext, password_salt, N=8, r=8, p=1)
 
 
 SALT_CHARACTERS = string.ascii_uppercase + string.ascii_lowercase + string.digits

backend/endpoints.py

@@ -18,6 +18,7 @@
 from datetime import timedelta
 
 MINIMUM_PASSWORD_LENGTH = 5
+MAXIMUM_BLOOM_LENGTH = 280
 
 
 def login():
@@ -156,9 +157,20 @@ def send_bloom():
     if type_check_error is not None:
         return type_check_error
 
+    content = request.json["content"]
+    
+    if len(content) > MAXIMUM_BLOOM_LENGTH:
+        return make_response(
+            jsonify({
+                "success": False,
+                "message": f"Bloom content exceeds maximum length of {MAXIMUM_BLOOM_LENGTH} characters"
+            }),
+            400
+        )
+
     user = get_current_user()
 
-    blooms.add_bloom(sender=user, content=request.json["content"])
+    blooms.add_bloom(sender=user, content=content)
 
     return jsonify(
         {