Stricter whitelist rules (#2213)

* Stricter whitelist rules

* Linting

* Added spec for blacklisting

* Test subdomain blacklist on domain whitelist

* No need to split

* Change spec name
main
Guillaume Lo Re 2017-04-26 01:22:51 +02:00 committed by Eugen Rochko
parent fbc5099402
commit 7177e37b99
2 changed files with 33 additions and 2 deletions

View File

@ -15,7 +15,7 @@ class EmailValidator < ActiveModel::EachValidator
return false if Rails.configuration.x.email_domains_blacklist.blank? return false if Rails.configuration.x.email_domains_blacklist.blank?
domains = Rails.configuration.x.email_domains_blacklist.gsub('.', '\.') domains = Rails.configuration.x.email_domains_blacklist.gsub('.', '\.')
regexp = Regexp.new("@(.+\\.)?(#{domains})", true) regexp = Regexp.new("@(.+\\.)?(#{domains})", true)
value =~ regexp value =~ regexp
end end
@ -24,7 +24,7 @@ class EmailValidator < ActiveModel::EachValidator
return false if Rails.configuration.x.email_domains_whitelist.blank? return false if Rails.configuration.x.email_domains_whitelist.blank?
domains = Rails.configuration.x.email_domains_whitelist.gsub('.', '\.') domains = Rails.configuration.x.email_domains_whitelist.gsub('.', '\.')
regexp = Regexp.new("@(.+\\.)?(#{domains})", true) regexp = Regexp.new("@(.+\\.)?(#{domains})$", true)
value !~ regexp value !~ regexp
end end

View File

@ -85,6 +85,16 @@ RSpec.describe User, type: :model do
let(:password) { 'abcd1234' } let(:password) { 'abcd1234' }
describe 'blacklist' do describe 'blacklist' do
around(:each) do |example|
old_blacklist = Rails.configuration.x.email_blacklist
Rails.configuration.x.email_domains_blacklist = 'mvrht.com'
example.run
Rails.configuration.x.email_domains_blacklist = old_blacklist
end
it 'should allow a non-blacklisted user to be created' do it 'should allow a non-blacklisted user to be created' do
user = User.new(email: 'foo@example.com', account: account, password: password) user = User.new(email: 'foo@example.com', account: account, password: password)
@ -96,6 +106,12 @@ RSpec.describe User, type: :model do
expect(user.valid?).to be_falsey expect(user.valid?).to be_falsey
end end
it 'should not allow a subdomain blacklisted user to be created' do
user = User.new(email: 'foo@mvrht.com.topdomain.tld', account: account, password: password)
expect(user.valid?).to be_falsey
end
end end
describe '#confirmed?' do describe '#confirmed?' do
@ -130,5 +146,20 @@ RSpec.describe User, type: :model do
user = User.new(email: 'foo@mastodon.space', account: account, password: password) user = User.new(email: 'foo@mastodon.space', account: account, password: password)
expect(user.valid?).to be_truthy expect(user.valid?).to be_truthy
end end
it 'should not allow a user with a whitelisted top domain as subdomain in their email address to be created' do
user = User.new(email: 'foo@mastodon.space.userdomain.com', account: account, password: password)
expect(user.valid?).to be_falsey
end
it 'should not allow a user to be created with a specific blacklisted subdomain even if the top domain is whitelisted' do
old_blacklist = Rails.configuration.x.email_blacklist
Rails.configuration.x.email_domains_blacklist = 'blacklisted.mastodon.space'
user = User.new(email: 'foo@blacklisted.mastodon.space', account: account, password: password)
expect(user.valid?).to be_falsey
Rails.configuration.x.email_domains_blacklist = old_blacklist
end
end end
end end