feat: enforce system-level length caps and metadata count in subscription form validation

- SubscriptionFormConstraintsFactory: auto-generate MaxLength(256) for
  input fields and MaxLength(1024) for textarea fields; cap user-defined
  values at the system limit when exceeded
- SubscriptionFormSubmissionValidator: reject submissions with more than
  25 metadata entries (MAX_METADATA_COUNT)
- SubscriptionMetadataSanitizer: remove global length/count limits —
  these now apply only to subscription form submissions, not all clients

Author: JedrzejJanasiak

gravitee-apim-rest-api/gravitee-apim-rest-api-service/src/main/java/io/gravitee/apim/core/subscription_form/domain_service/SubscriptionFormConstraintsFactory.java

@@ -21,11 +21,12 @@
 import io.gravitee.apim.core.subscription_form.model.SubscriptionFormSchema.CheckboxField;
 import io.gravitee.apim.core.subscription_form.model.SubscriptionFormSchema.CheckboxGroupField;
 import io.gravitee.apim.core.subscription_form.model.SubscriptionFormSchema.Field;
-import io.gravitee.apim.core.subscription_form.model.SubscriptionFormSchema.MaxLengthAttribute;
+import io.gravitee.apim.core.subscription_form.model.SubscriptionFormSchema.InputField;
 import io.gravitee.apim.core.subscription_form.model.SubscriptionFormSchema.MinLengthAttribute;
 import io.gravitee.apim.core.subscription_form.model.SubscriptionFormSchema.OptionsAttribute;
 import io.gravitee.apim.core.subscription_form.model.SubscriptionFormSchema.PatternAttribute;
 import io.gravitee.apim.core.subscription_form.model.SubscriptionFormSchema.ReadOnlyValueAttribute;
+import io.gravitee.apim.core.subscription_form.model.SubscriptionFormSchema.TextareaField;
 import java.util.ArrayList;
 import java.util.LinkedHashMap;
 import java.util.List;
@@ -34,6 +35,9 @@
 /**
  * Builds {@link SubscriptionFormFieldConstraints} from a parsed {@link SubscriptionFormSchema}.
  *
+ * <p>System-level length limits are always enforced regardless of user configuration.
+ * See {@link Constraint.MaxLength#INPUT_MAX_LENGTH} and {@link Constraint.MaxLength#TEXTAREA_MAX_LENGTH}.</p>
+ *
  * @author Gravitee.io Team
  */
 public final class SubscriptionFormConstraintsFactory {
@@ -71,8 +75,12 @@ private static List<Constraint> constraintsFor(Field field) {
         if (field instanceof MinLengthAttribute min && min.minLength() != null) {
             out.add(new Constraint.MinLength(min.minLength()));
         }
-        if (field instanceof MaxLengthAttribute max && max.maxLength() != null) {
-            out.add(new Constraint.MaxLength(max.maxLength()));
+        if (field instanceof InputField input) {
+            out.add(input.maxLength() != null ? Constraint.MaxLength.forInput(input.maxLength()) : Constraint.MaxLength.forInput());
+        } else if (field instanceof TextareaField textarea) {
+            out.add(
+                textarea.maxLength() != null ? Constraint.MaxLength.forTextarea(textarea.maxLength()) : Constraint.MaxLength.forTextarea()
+            );
         }
         if (field instanceof PatternAttribute pat && pat.pattern() != null) {
             out.add(new Constraint.MatchesPattern(pat.pattern()));

gravitee-apim-rest-api/gravitee-apim-rest-api-service/src/main/java/io/gravitee/apim/core/subscription_form/domain_service/SubscriptionFormSubmissionValidator.java

@@ -35,6 +35,9 @@
  */
 public class SubscriptionFormSubmissionValidator {
 
+    /** Maximum number of metadata entries accepted in a subscription form submission. */
+    public static final int MAX_METADATA_COUNT = 25;
+
     private final SubscriptionFormFieldConstraints fieldConstraints;
 
     public SubscriptionFormSubmissionValidator(SubscriptionFormSchema schema) {
@@ -57,6 +60,11 @@ public void validate(Map<String, String> submittedValues) {
         if (fieldConstraints.isEmpty()) {
             return;
         }
+        if (submittedValues.size() > MAX_METADATA_COUNT) {
+            throw new SubscriptionFormValidationException(
+                List.of("Subscription metadata must not exceed " + MAX_METADATA_COUNT + " entries")
+            );
+        }
         List<String> errors = fieldConstraints
             .byFieldKey()
             .entrySet()

gravitee-apim-rest-api/gravitee-apim-rest-api-service/src/main/java/io/gravitee/apim/core/subscription_form/model/Constraint.java

@@ -152,6 +152,26 @@ public String formatErrorMessage(String fieldKey, String value) {
 
     /** Value must be at most {@code max} characters long (skipped when empty). */
     record MaxLength(int max) implements Constraint {
+        public static final int INPUT_MAX_LENGTH = 256;
+
+        public static final int TEXTAREA_MAX_LENGTH = 1024;
+
+        public static MaxLength forInput() {
+            return new MaxLength(INPUT_MAX_LENGTH);
+        }
+
+        public static MaxLength forInput(int userDefined) {
+            return new MaxLength(Math.min(userDefined, INPUT_MAX_LENGTH));
+        }
+
+        public static MaxLength forTextarea() {
+            return new MaxLength(TEXTAREA_MAX_LENGTH);
+        }
+
+        public static MaxLength forTextarea(int userDefined) {
+            return new MaxLength(Math.min(userDefined, TEXTAREA_MAX_LENGTH));
+        }
+
         @Override
         public boolean check(String value) {
             return value.isEmpty() || value.length() <= max;

gravitee-apim-rest-api/gravitee-apim-rest-api-service/src/main/java/io/gravitee/rest/api/service/v4/validation/SubscriptionMetadataSanitizer.java

@@ -23,40 +23,35 @@
 import org.springframework.stereotype.Component;
 
 /**
- * Validates and sanitizes subscription form metadata (keys, value length).
+ * Sanitizes subscription metadata: validates key format and strips HTML tags from values.
  * Values are plain text; HTML tags are stripped to prevent XSS when metadata is rendered.
  * No HTML encoding is applied, so characters like {@code @}, {@code +}, {@code =} are stored as-is.
  *
+ * <p>Business-level limits (max value length, max entry count) are enforced separately by
+ * {@link io.gravitee.apim.core.subscription_form.domain_service.SubscriptionFormSubmissionValidator}
+ * for subscriptions that go through a subscription form.</p>
+ *
  * @author GraviteeSource Team
  */
 @Component
 public class SubscriptionMetadataSanitizer {
 
     private static final Pattern KEY_PATTERN = Pattern.compile("^[A-Za-z0-9_-]{1,100}$");
     private static final Pattern HTML_TAG = Pattern.compile("<[^>]*>");
-    private static final int MAX_VALUE_LENGTH = 1024;
-    private static final int MAX_METADATA_COUNT = 25;
 
     /**
-     * Validates metadata keys and value lengths, then strips HTML tags from each value.
+     * Validates metadata key format, strips HTML tags from each value, and omits blank values.
      * Any remaining characters (including {@code <}, {@code >}, non-Latin, etc.) are stored as-is.
      *
      * @param metadata raw metadata from the client
      * @return sanitized metadata, or empty map if input is null
-     * @throws SubscriptionMetadataInvalidException if a key is invalid or a value exceeds max length
+     * @throws SubscriptionMetadataInvalidException if a key does not match the required format
      */
     public Map<String, String> sanitizeAndValidate(Map<String, String> metadata) {
         if (metadata == null) {
             return Collections.emptyMap();
         }
 
-        if (metadata.size() > MAX_METADATA_COUNT) {
-            throw new SubscriptionMetadataInvalidException(
-                SubscriptionMetadataInvalidException.Reason.TOO_MANY,
-                "Too many metadata entries. Maximum is " + MAX_METADATA_COUNT + "."
-            );
-        }
-
         Map<String, String> sanitizedMetadata = new HashMap<>();
         for (Map.Entry<String, String> entry : metadata.entrySet()) {
             String key = entry.getKey();
@@ -67,15 +62,7 @@ public Map<String, String> sanitizeAndValidate(Map<String, String> metadata) {
                 );
             }
 
-            String value = entry.getValue();
-            if (value != null && value.length() > MAX_VALUE_LENGTH) {
-                throw new SubscriptionMetadataInvalidException(
-                    SubscriptionMetadataInvalidException.Reason.VALUE_TOO_LONG,
-                    "Metadata value for key '" + key + "' is too long (max " + MAX_VALUE_LENGTH + " characters)."
-                );
-            }
-
-            String sanitizedValue = stripHtmlTags(value);
+            String sanitizedValue = stripHtmlTags(entry.getValue());
             if (sanitizedValue == null || sanitizedValue.isBlank()) {
                 continue;
             }

gravitee-apim-rest-api/gravitee-apim-rest-api-service/src/test/java/io/gravitee/apim/core/subscription_form/domain_service/SubscriptionFormConstraintsFactoryTest.java

@@ -15,6 +15,8 @@
  */
 package io.gravitee.apim.core.subscription_form.domain_service;
 
+import static io.gravitee.apim.core.subscription_form.model.Constraint.MaxLength.INPUT_MAX_LENGTH;
+import static io.gravitee.apim.core.subscription_form.model.Constraint.MaxLength.TEXTAREA_MAX_LENGTH;
 import static org.assertj.core.api.Assertions.assertThat;
 
 import io.gravitee.apim.core.subscription_form.model.Constraint;
@@ -92,6 +94,41 @@ void should_map_required_checkbox_to_must_be_true() {
         assertThat(constraints.byFieldKey().get("terms")).containsExactly(new Constraint.MustBeTrue());
     }
 
+    @Test
+    void should_apply_system_max_length_to_input_when_no_user_max_defined() {
+        var schema = new SubscriptionFormSchema(List.of(new InputField("name", false, null, null, null, null)));
+        var constraints = SubscriptionFormConstraintsFactory.fromSchema(schema);
+        assertThat(constraints.byFieldKey().get("name")).containsExactly(new Constraint.MaxLength(INPUT_MAX_LENGTH));
+    }
+
+    @Test
+    void should_apply_system_max_length_to_textarea_when_no_user_max_defined() {
+        var schema = new SubscriptionFormSchema(List.of(new TextareaField("bio", false, null, null, null)));
+        var constraints = SubscriptionFormConstraintsFactory.fromSchema(schema);
+        assertThat(constraints.byFieldKey().get("bio")).containsExactly(new Constraint.MaxLength(TEXTAREA_MAX_LENGTH));
+    }
+
+    @Test
+    void should_cap_input_max_length_at_system_limit_when_user_exceeds_it() {
+        var schema = new SubscriptionFormSchema(List.of(new InputField("name", false, null, null, 1000, null)));
+        var constraints = SubscriptionFormConstraintsFactory.fromSchema(schema);
+        assertThat(constraints.byFieldKey().get("name")).containsExactly(new Constraint.MaxLength(INPUT_MAX_LENGTH));
+    }
+
+    @Test
+    void should_cap_textarea_max_length_at_system_limit_when_user_exceeds_it() {
+        var schema = new SubscriptionFormSchema(List.of(new TextareaField("notes", false, null, null, 9999)));
+        var constraints = SubscriptionFormConstraintsFactory.fromSchema(schema);
+        assertThat(constraints.byFieldKey().get("notes")).containsExactly(new Constraint.MaxLength(TEXTAREA_MAX_LENGTH));
+    }
+
+    @Test
+    void should_preserve_user_max_length_when_within_system_limit() {
+        var schema = new SubscriptionFormSchema(List.of(new InputField("code", false, null, null, 50, null)));
+        var constraints = SubscriptionFormConstraintsFactory.fromSchema(schema);
+        assertThat(constraints.byFieldKey().get("code")).containsExactly(new Constraint.MaxLength(50));
+    }
+
     @Test
     void should_map_checkbox_group_required_with_each_of() {
         var schema = new SubscriptionFormSchema(List.of(new CheckboxGroupField("tags", true, List.of("A", "B"))));

gravitee-apim-rest-api/gravitee-apim-rest-api-service/src/test/java/io/gravitee/apim/core/subscription_form/domain_service/SubscriptionFormSubmissionValidatorTest.java

@@ -289,6 +289,37 @@ void should_not_apply_other_validations_to_readonly_fields() {
         }
     }
 
+    @Nested
+    class WhenValidatingMetadataCount {
+
+        @Test
+        void should_throw_when_submission_exceeds_max_metadata_count() {
+            var schema = schema(requiredInput("company"));
+            Map<String, String> tooMany = new java.util.HashMap<>();
+            for (int i = 0; i < SubscriptionFormSubmissionValidator.MAX_METADATA_COUNT + 1; i++) {
+                tooMany.put("key_" + i, "value");
+            }
+            assertThatThrownBy(() -> validateSubmission(schema, tooMany))
+                .isInstanceOf(SubscriptionFormValidationException.class)
+                .extracting(e -> ((SubscriptionFormValidationException) e).getErrors())
+                .satisfies(errors ->
+                    assertThat(errors).containsExactly(
+                        "Subscription metadata must not exceed " + SubscriptionFormSubmissionValidator.MAX_METADATA_COUNT + " entries"
+                    )
+                );
+        }
+
+        @Test
+        void should_not_throw_when_submission_is_at_max_metadata_count() {
+            var schema = schema(optionalInput("notes"));
+            Map<String, String> exactlyMax = new java.util.HashMap<>();
+            for (int i = 0; i < SubscriptionFormSubmissionValidator.MAX_METADATA_COUNT; i++) {
+                exactlyMax.put("key_" + i, "value");
+            }
+            assertThatNoException().isThrownBy(() -> validateSubmission(schema, exactlyMax));
+        }
+    }
+
     @Nested
     class WhenUsingPrebuiltFieldConstraints {
 

gravitee-apim-rest-api/gravitee-apim-rest-api-service/src/test/java/io/gravitee/rest/api/service/v4/validation/SubscriptionMetadataSanitizerTest.java

@@ -51,41 +51,6 @@ void should_throw_when_metadata_key_is_invalid() {
         assertThat(throwable.getMessage()).isEqualTo("Invalid metadata key: bad key");
     }
 
-    @Test
-    void should_throw_when_metadata_value_is_too_long() {
-        Map<String, String> tooLongValue = Map.of("valid_key", "a".repeat(1025));
-
-        var throwable = assertThrows(SubscriptionMetadataInvalidException.class, () -> cut.sanitizeAndValidate(tooLongValue));
-
-        assertThat(throwable.getTechnicalCode()).isEqualTo("subscription.metadata.value.too_long");
-        assertThat(throwable.getMessage()).isEqualTo("Metadata value for key 'valid_key' is too long (max 1024 characters).");
-    }
-
-    @Test
-    void should_throw_when_metadata_count_exceeds_maximum() {
-        Map<String, String> tooMany = new HashMap<>();
-        for (int i = 0; i < 26; i++) {
-            tooMany.put("key_" + i, "value");
-        }
-
-        var throwable = assertThrows(SubscriptionMetadataInvalidException.class, () -> cut.sanitizeAndValidate(tooMany));
-
-        assertThat(throwable.getTechnicalCode()).isEqualTo("subscription.metadata.too_many");
-        assertThat(throwable.getMessage()).isEqualTo("Too many metadata entries. Maximum is 25.");
-    }
-
-    @Test
-    void should_accept_metadata_at_maximum_count() {
-        Map<String, String> maxAllowed = new HashMap<>();
-        for (int i = 0; i < 25; i++) {
-            maxAllowed.put("key_" + i, "value");
-        }
-
-        var result = cut.sanitizeAndValidate(maxAllowed);
-
-        assertThat(result).hasSize(25);
-    }
-
     @Test
     void should_strip_html_tags_and_omit_empty_values() {
         Map<String, String> metadata = new HashMap<>();