2 - cap size of details and imageURI

[spengrah]

sherlock-audit/2023-02-hats-judging#2

[nintynick]

looks good, though I would prefer if imageURI was even further restricted (say 1000 bytes). and it may be helpful to explain in the comment a bit how we got to 7000.

[zobront]

This PR appears to cap the length in the change... functions but still allows it to be set higher when the hat is originally created. Does it make sense to add a similar check in _createHat()?

[zobront]

Same thing with the _linkTopHatToTree() function, I believe.

[spengrah]

This PR appears to cap the length in the change... functions but still allows it to be set higher when the hat is originally created. Does it make sense to add a similar check in _createHat()?

@zobront the thinking here is that we don't need the check on creation since — due to writing being more expensive than reading — it will be impossible to write a single string that can DOS reads. Only by incrementally updating can a DOS be achieved, hence the choice to apply at the changeHat...() level. This also gives initial hat creators some additional flexibility if they desire, and (more importantly) minimizes cost for a common function.

Let me know if you disagree with this analysis.

Same thing with the _linkTopHatToTree() function, I believe.

Ah, good catch. Since this can be called from within relink...() multiple times, its subject to the iterative write attack, so it should have this check.

[zobront]

@spengrah Great, agreed with this reasoning and the fix in #118 looks perfect.