Add rules language support and improve password validation across the app

pilots.go

@@ -9,6 +9,27 @@ import (
 	"strings"
 )
 
+// sanitizePilotField trims whitespace, strips a leading CSV-formula prefix
+// (=, +, -, @, tab, CR) so the value can never be interpreted as a formula
+// when re-exported in a spreadsheet, and clips to the given byte length.
+func sanitizePilotField(s string, max int) string {
+	s = strings.TrimSpace(s)
+	for len(s) > 0 {
+		switch s[0] {
+		case '=', '+', '-', '@', '\t', '\r':
+			s = strings.TrimLeftFunc(s[1:], func(r rune) bool {
+				return r == '=' || r == '+' || r == '-' || r == '@' || r == '\t' || r == '\r' || r == ' '
+			})
+			continue
+		}
+		break
+	}
+	if len(s) > max {
+		s = s[:max]
+	}
+	return s
+}
+
 func registerPilotRoutes(mux *http.ServeMux) {
 	mux.HandleFunc("GET /api/competitions/{id}/pilots", requireAuth(handleListPilots))
 	mux.HandleFunc("POST /api/competitions/{id}/pilots", requireAuth(handleCreatePilot))
@@ -153,7 +174,8 @@ func handleImportPilots(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusForbidden, "forbidden")
 		return
 	}
-	body, err := io.ReadAll(r.Body)
+	// Cap the upload to keep memory bounded.
+	body, err := io.ReadAll(io.LimitReader(r.Body, 2*1024*1024))
 	if err != nil {
 		writeError(w, http.StatusBadRequest, "read_error")
 		return
@@ -188,16 +210,16 @@ func handleImportPilots(w http.ResponseWriter, r *http.Request) {
 		if len(rec) < 3 {
 			continue
 		}
-		number := strings.TrimSpace(rec[0])
-		lastName := strings.TrimSpace(rec[1])
-		firstName := strings.TrimSpace(rec[2])
+		number := sanitizePilotField(rec[0], 32)
+		lastName := sanitizePilotField(rec[1], 128)
+		firstName := sanitizePilotField(rec[2], 128)
 		country := ""
 		balloon := ""
 		if len(rec) >= 4 {
-			country = strings.TrimSpace(rec[3])
+			country = sanitizePilotField(rec[3], 64)
 		}
 		if len(rec) >= 5 {
-			balloon = strings.TrimSpace(rec[4])
+			balloon = sanitizePilotField(rec[4], 64)
 		}
 		if number == "" {
 			continue