bc1bb/OpenLink
1
0
Fork 0
Code Issues 9 Pull requests Projects Releases Packages Wiki Activity Actions

URL length not validated; inputs >128 chars cause unhandled 500 error #10

New issue
Open
opened 2026-05-14 20:30:41 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 20:30:41 +02:00
Copy link

Problem

The original column is defined as char(128) in the database. The controller validates that the submitted value is a syntactically valid URL (via Symfony's Url constraint) but does not enforce a length limit. A URL longer than 128 characters passes validation and is handed to Doctrine, which throws an uncaught exception when MySQL rejects the oversized value.

Location

  • src/Entity/Links.php, line 17: #[ORM\Column(length: 128)]
  • src/Controller/Shortener.php, lines 22–27 — validation checks only URL format, no Length constraint

Risk

Submitting any valid URL exceeding 128 characters produces an unhandled 500 error instead of a user-friendly message. Many real-world URLs (e.g., URLs with query strings) routinely exceed 128 characters, making this a common reliability failure. Depending on Symfony's error display configuration, the stack trace could leak internal path or database information.

Suggested fix direction

Add a Length(max: 2048) constraint alongside the existing Url constraint in the controller, and increase the original column size to match (e.g., #[ORM\Column(length: 2048)] plus a corresponding migration).

Severity

minor

Found by

Automated audit by Claude Code

## Problem The `original` column is defined as `char(128)` in the database. The controller validates that the submitted value is a syntactically valid URL (via Symfony's `Url` constraint) but does not enforce a length limit. A URL longer than 128 characters passes validation and is handed to Doctrine, which throws an uncaught exception when MySQL rejects the oversized value. ## Location - `src/Entity/Links.php`, line 17: `#[ORM\Column(length: 128)]` - `src/Controller/Shortener.php`, lines 22–27 — validation checks only URL format, no `Length` constraint ## Risk Submitting any valid URL exceeding 128 characters produces an unhandled 500 error instead of a user-friendly message. Many real-world URLs (e.g., URLs with query strings) routinely exceed 128 characters, making this a common reliability failure. Depending on Symfony's error display configuration, the stack trace could leak internal path or database information. ## Suggested fix direction Add a `Length(max: 2048)` constraint alongside the existing `Url` constraint in the controller, and increase the `original` column size to match (e.g., `#[ORM\Column(length: 2048)]` plus a corresponding migration). ## Severity minor ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
develop
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/OpenLink#10
No description provided.