From 6dc348ec4f6ee1fbd000f02667bf8767e93cdffa Mon Sep 17 00:00:00 2001
From: Peter Mescalchin <peter@magnetikonline.com>
Date: Wed, 27 Mar 2024 20:08:21 +1100
Subject: [PATCH] Added max length `> 255 chars` check for custom origin path

---
 lib.js                          | 4 ++++
 test/main-payloadverify.test.js | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/lib.js b/lib.js
index 40ad830..8b60715 100644
--- a/lib.js
+++ b/lib.js
@@ -514,6 +514,10 @@ function payloadVerifyRequestOrigin(payload) {
 			throw new Error(`payload property [origin.custom.path] must be empty or begin, but not end with forward slash - got [${custom.path}]`);
 		}
 
+		if (custom.path.length > 255) {
+			throw new Error(`payload property [origin.custom.path] length must not exceed 255 characters - got [${custom.path}]`);
+		}
+
 		// ensure `origin.custom.port` is within bounds
 		if (
 			(custom.port !== 80) &&
diff --git a/test/main-payloadverify.test.js b/test/main-payloadverify.test.js
index 031b30c..85ee8db 100644
--- a/test/main-payloadverify.test.js
+++ b/test/main-payloadverify.test.js
@@ -592,6 +592,12 @@ function testPayloadVerifyRequestOrigin(inst) {
 		}));
 	});
 
+	assert.throws(function() {
+		callVerify(makePayloadWithOriginCustom(function(payload) {
+			payload.origin.custom.path = '/path/too/long'.repeat(20);
+		}));
+	});
+
 	assert.throws(function() {
 		callVerify(makePayloadWithOriginCustom(function(payload) {
 			delete payload.origin.custom.port;