Question about security issues

[YPCrumble]

First, thank you for maintaining this! I'm eager to try it with my site.

I have a question - Is there any validation done on the CSP reports? I didn't see any, and I'm wondering if this doesn't open a site up to various security issues?

For instance, what if we set log_report and then start sending thousands of massive reports, i.e., huge JSON objects, at the same time? Couldn't that immediately eat up a server's RAM?

It appears that there's some amount of validation in the save_report function in terms of requiring that the report match the desired keys, and some fields are limited by choices, but I'm wondering whether directives shouldn't be more fully validated? I'm not well versed on CSP RFC's so if you know of a place that shows good validation or a repo that might do it already I'd love to take a look and make a PR if I'm able.

I suppose one thing to do short-term is to use log_reports and simply add a custom filter that verifies the size of the log is below a certain threshold of kb?

Mainly opening this issue to see if maintainers have ideas that would be useful in making sure that the endpoint doesn't open up any vulnerabilities. Thanks again for maintaining this repo!

[YPCrumble]

I could see an argument like mitigating the size of a request object should be done at the webserver level, but want to raise the question just in case!