From dbcd5e7de2c33d36c17e1047fd5ab0318bccdc7f Mon Sep 17 00:00:00 2001
From: Dragory <2606411+Dragory@users.noreply.github.com>
Date: Tue, 13 Oct 2020 19:45:37 +0300
Subject: [PATCH] Cap delay strings to 100 years

This is to avoid issues with max date values and other similar edge
cases. This was an issue when accidentally passing a user ID as the
time value for e.g. reminders.
---
 backend/src/utils.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/backend/src/utils.ts b/backend/src/utils.ts
index a91caacf..582f77aa 100644
--- a/backend/src/utils.ts
+++ b/backend/src/utils.ts
@@ -296,6 +296,10 @@ export const tDelayString = new t.Type<string, string>(
   s => s,
 );
 
+// To avoid running into issues with the JS max date vaLue, we cap maximum delay strings *far* below that.
+// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date#The_ECMAScript_epoch_and_timestamps
+const MAX_DELAY_STRING_AMOUNT = 100 * 365 * DAYS;
+
 /**
  * Turns a "delay string" such as "1h30m" to milliseconds
  */
@@ -317,6 +321,10 @@ export function convertDelayStringToMS(str, defaultUnit = "m"): number {
     return null;
   }
 
+  if (ms > MAX_DELAY_STRING_AMOUNT) {
+    return null;
+  }
+
   return ms;
 }