fix(polls) improve message validation (#14991)

* fix(polls) improve message validation

- Prevent creation of too many polls
- Discard absurdly large payloads

* Update resources/prosody-plugins/mod_polls.lua

Co-authored-by: Дамян Минков <damencho@jitsi.org>

---------

Co-authored-by: Дамян Минков <damencho@jitsi.org>

resources/prosody-plugins/mod_polls.lua

@@ -11,6 +11,9 @@ local muc = module:depends("muc");
 local NS_NICK = 'http://jabber.org/protocol/nick';
 local is_healthcheck_room = util.is_healthcheck_room;
 
+local POLLS_LIMIT = 128;
+local POLL_PAYLOAD_LIMIT = 1024;
+
 -- Checks if the given stanza contains a JSON message,
 -- and that the message type pertains to the polls feature.
 -- If yes, returns the parsed message. Otherwise, returns nil.
@@ -22,6 +25,10 @@ local function get_poll_message(stanza)
     if json_data == nil then
         return nil;
     end
+    if string.len(json_data) >= POLL_PAYLOAD_LIMIT then
+        module:log('error', 'Poll payload too large, discarding. Sender: %s to:%s', stanza.attr.from, stanza.attr.to);
+        return nil;
+    end
     local data, error = json.decode(json_data);
     if not data or (data.type ~= "new-poll" and data.type ~= "answer-poll") then
         if error then
@@ -72,6 +79,7 @@ module:hook("muc-room-created", function(event)
     room.polls = {
         by_id = {};
         order = {};
+        count = 0;
     };
 end);
 
@@ -100,6 +108,11 @@ module:hook("message/bare", function(event)
             return
         end
 
+        if room.polls.count >= POLLS_LIMIT then
+            module:log("error", "Too many polls created in %s", room.jid)
+            return
+        end
+
         local answers = {}
         local compact_answers = {}
         for i, name in ipairs(data.answers) do
@@ -117,6 +130,7 @@ module:hook("message/bare", function(event)
 
         room.polls.by_id[data.pollId] = poll
         table.insert(room.polls.order, poll)
+        room.polls.count = room.polls.count + 1;
 
         local pollData = {
             event = event,