Validate schema key field lengths before calling Iglu Server (#188)

SDJ schema fields (vendor, name, format) received over the public
internet are validated to be at most 128 characters before invoking
client.check. This prevents untrusted, oversized schema keys from
reaching Iglu Server. The 128 limit matches the VARCHAR column size
used in Iglu Server's database.

Author: istreeter

modules/common/src/main/scala/com.snowplowanalytics.snowplow.enrich/common/utils/IgluUtils.scala

@@ -26,7 +26,7 @@ import io.circe.generic.semiauto._
 import com.snowplowanalytics.iglu.client.{ClientError, IgluCirceClient}
 import com.snowplowanalytics.iglu.client.resolver.registries.RegistryLookup
 
-import com.snowplowanalytics.iglu.core.{SchemaCriterion, SchemaKey, SchemaVer, SelfDescribingData}
+import com.snowplowanalytics.iglu.core.{ParseError, SchemaCriterion, SchemaKey, SchemaVer, SelfDescribingData}
 import com.snowplowanalytics.iglu.core.circe.implicits._
 
 import com.snowplowanalytics.snowplow.enrich.common.enrichments.Failure
@@ -260,6 +260,9 @@ object IgluUtils {
                  .toIor
     } yield valid
 
+  // Matches the VARCHAR column size used for vendor, name, and format in Iglu Server's database.
+  private val MaxSchemaFieldLength = 128
+
   /** Check that a SDJ is valid */
   private[enrich] def validateSDJ[F[_]: Sync](
     client: IgluCirceClient[F],
@@ -269,34 +272,56 @@ object IgluUtils {
     etlTstamp: Instant
   ): EitherT[F, Failure.SchemaViolation, ValidSDJ] = {
     implicit val rl: RegistryLookup[F] = registryLookup
-    client
-      .check(sdj)
-      .leftSemiflatMap {
-        case re: ClientError.ResolutionError if client.resolver.isSystemError(re) =>
-          val message = s"Could not reach Iglu Server for schema '${sdj.schema.toSchemaUri}'. " +
-            s"Check resolver configuration and ensure registries are available. " +
-            s"Resolution errors: ${re.getMessage}"
-          Logger[F].error(message) >> Sync[F].raiseError[ClientError](IgluSystemError(message))
-        case other =>
-          Sync[F].pure(other)
-      }
-      .leftMap(clientError =>
-        Failure.SchemaViolation(
-          schemaViolation = FailureDetails.SchemaViolation.IgluError(sdj.schema, clientError),
-          source = field,
-          data = sdj.data,
-          etlTstamp = etlTstamp
-        )
-      )
-      .map { supersededBy =>
-        val validationInfo = supersededBy.map(s => ValidationInfo(sdj.schema, s))
-        ValidSDJ(
-          replaceSchemaVersion(sdj, validationInfo),
-          validationInfo
-        )
-      }
+    for {
+      _ <- validateSchemaFieldLength(sdj, sdj.schema.vendor, field, etlTstamp)
+      _ <- validateSchemaFieldLength(sdj, sdj.schema.name, field, etlTstamp)
+      _ <- validateSchemaFieldLength(sdj, sdj.schema.format, field, etlTstamp)
+      result <- client
+                  .check(sdj)
+                  .leftSemiflatMap {
+                    case re: ClientError.ResolutionError if client.resolver.isSystemError(re) =>
+                      val message = s"Could not reach Iglu Server for schema '${sdj.schema.toSchemaUri}'. " +
+                        s"Check resolver configuration and ensure registries are available. " +
+                        s"Resolution errors: ${re.getMessage}"
+                      Logger[F].error(message) >> Sync[F].raiseError[ClientError](IgluSystemError(message))
+                    case other =>
+                      Sync[F].pure(other)
+                  }
+                  .leftMap(clientError =>
+                    Failure.SchemaViolation(
+                      schemaViolation = FailureDetails.SchemaViolation.IgluError(sdj.schema, clientError),
+                      source = field,
+                      data = sdj.data,
+                      etlTstamp = etlTstamp
+                    )
+                  )
+                  .map { supersededBy =>
+                    val validationInfo = supersededBy.map(s => ValidationInfo(sdj.schema, s))
+                    ValidSDJ(
+                      replaceSchemaVersion(sdj, validationInfo),
+                      validationInfo
+                    )
+                  }
+    } yield result
   }
 
+  private def validateSchemaFieldLength[F[_]: Sync](
+    sdj: SelfDescribingData[Json],
+    value: String,
+    source: String,
+    etlTstamp: Instant
+  ): EitherT[F, Failure.SchemaViolation, Unit] =
+    EitherT.cond[F](
+      value.length <= MaxSchemaFieldLength,
+      (),
+      Failure.SchemaViolation(
+        schemaViolation = FailureDetails.SchemaViolation.NotIglu(sdj.normalize, ParseError.InvalidIgluUri),
+        source = source,
+        data = sdj.data,
+        etlTstamp = etlTstamp
+      )
+    )
+
   /**
    * Check that several SDJs are valid
    * @return `SchemaViolation`s in the `Left` and valid SDJs in the `Right`, if any

modules/common/src/test/scala/com.snowplowanalytics.snowplow.enrich.common/utils/IgluUtilsSpec.scala

@@ -21,7 +21,7 @@ import io.circe.syntax._
 
 import cats.data.{Ior, NonEmptyList}
 
-import com.snowplowanalytics.iglu.core.{SchemaKey, SchemaVer}
+import com.snowplowanalytics.iglu.core.{ParseError, SchemaKey, SchemaVer}
 
 import com.snowplowanalytics.iglu.client.ClientError.{ResolutionError, ValidationError}
 
@@ -962,6 +962,74 @@ class IgluUtilsSpec extends Specification with ValidatedMatchers with CatsEffect
         }
     }
 
+    "return a NotIglu error if a context has a schema vendor exceeding 128 characters" >> {
+      val longVendor = "a" * 129
+      val longVendorContext = s"""{
+        "schema": "iglu:$longVendor/email_sent/jsonschema/1-0-0",
+        "data": {"emailAddress": "hello@world.com", "emailAddress2": "foo@bar.org"}
+      }"""
+
+      IgluUtils
+        .parseAndValidateContexts(
+          Some(buildInputContexts(List(longVendorContext))),
+          SpecHelpers.client,
+          SpecHelpers.registryLookup,
+          SpecHelpers.DefaultMaxJsonDepth,
+          SpecHelpers.etlTstamp
+        )
+        .value
+        .map {
+          case Ior.Both(
+                NonEmptyList(
+                  Failure.SchemaViolation(
+                    FailureDetails.SchemaViolation.NotIglu(_, ParseError.InvalidIgluUri),
+                    `contextsFieldName`,
+                    _,
+                    _
+                  ),
+                  Nil
+                ),
+                None
+              ) =>
+            ok
+          case other => ko(s"[$other] is not a NotIglu error with InvalidIgluUri")
+        }
+    }
+
+    "return a NotIglu error if a context has a schema name exceeding 128 characters" >> {
+      val longName = "a" * 129
+      val longNameContext = s"""{
+        "schema": "iglu:com.acme/$longName/jsonschema/1-0-0",
+        "data": {"emailAddress": "hello@world.com", "emailAddress2": "foo@bar.org"}
+      }"""
+
+      IgluUtils
+        .parseAndValidateContexts(
+          Some(buildInputContexts(List(longNameContext))),
+          SpecHelpers.client,
+          SpecHelpers.registryLookup,
+          SpecHelpers.DefaultMaxJsonDepth,
+          SpecHelpers.etlTstamp
+        )
+        .value
+        .map {
+          case Ior.Both(
+                NonEmptyList(
+                  Failure.SchemaViolation(
+                    FailureDetails.SchemaViolation.NotIglu(_, ParseError.InvalidIgluUri),
+                    `contextsFieldName`,
+                    _,
+                    _
+                  ),
+                  Nil
+                ),
+                None
+              ) =>
+            ok
+          case other => ko(s"[$other] is not a NotIglu error with InvalidIgluUri")
+        }
+    }
+
     "return the extracted unstructured event and the extracted input contexts when schema is superseded by another schema" >> {
       val input = IgluUtils.EventExtractInput(unstructEvent = Some(buildUnstruct(supersedingExample1)),
                                               contexts = Some(buildInputContexts(List(supersedingExample1, supersedingExample2)))