mirror of https://github.com/mastodon/mastodon
Stricter whitelist rules (#2213)
* Stricter whitelist rules * Linting * Added spec for blacklisting * Test subdomain blacklist on domain whitelist * No need to split * Change spec name
This commit is contained in:
parent
fbc5099402
commit
7177e37b99
|
@ -15,7 +15,7 @@ class EmailValidator < ActiveModel::EachValidator
|
|||
return false if Rails.configuration.x.email_domains_blacklist.blank?
|
||||
|
||||
domains = Rails.configuration.x.email_domains_blacklist.gsub('.', '\.')
|
||||
regexp = Regexp.new("@(.+\\.)?(#{domains})", true)
|
||||
regexp = Regexp.new("@(.+\\.)?(#{domains})", true)
|
||||
|
||||
value =~ regexp
|
||||
end
|
||||
|
@ -24,7 +24,7 @@ class EmailValidator < ActiveModel::EachValidator
|
|||
return false if Rails.configuration.x.email_domains_whitelist.blank?
|
||||
|
||||
domains = Rails.configuration.x.email_domains_whitelist.gsub('.', '\.')
|
||||
regexp = Regexp.new("@(.+\\.)?(#{domains})", true)
|
||||
regexp = Regexp.new("@(.+\\.)?(#{domains})$", true)
|
||||
|
||||
value !~ regexp
|
||||
end
|
||||
|
|
|
@ -85,6 +85,16 @@ RSpec.describe User, type: :model do
|
|||
let(:password) { 'abcd1234' }
|
||||
|
||||
describe 'blacklist' do
|
||||
around(:each) do |example|
|
||||
old_blacklist = Rails.configuration.x.email_blacklist
|
||||
|
||||
Rails.configuration.x.email_domains_blacklist = 'mvrht.com'
|
||||
|
||||
example.run
|
||||
|
||||
Rails.configuration.x.email_domains_blacklist = old_blacklist
|
||||
end
|
||||
|
||||
it 'should allow a non-blacklisted user to be created' do
|
||||
user = User.new(email: 'foo@example.com', account: account, password: password)
|
||||
|
||||
|
@ -96,6 +106,12 @@ RSpec.describe User, type: :model do
|
|||
|
||||
expect(user.valid?).to be_falsey
|
||||
end
|
||||
|
||||
it 'should not allow a subdomain blacklisted user to be created' do
|
||||
user = User.new(email: 'foo@mvrht.com.topdomain.tld', account: account, password: password)
|
||||
|
||||
expect(user.valid?).to be_falsey
|
||||
end
|
||||
end
|
||||
|
||||
describe '#confirmed?' do
|
||||
|
@ -130,5 +146,20 @@ RSpec.describe User, type: :model do
|
|||
user = User.new(email: 'foo@mastodon.space', account: account, password: password)
|
||||
expect(user.valid?).to be_truthy
|
||||
end
|
||||
|
||||
it 'should not allow a user with a whitelisted top domain as subdomain in their email address to be created' do
|
||||
user = User.new(email: 'foo@mastodon.space.userdomain.com', account: account, password: password)
|
||||
expect(user.valid?).to be_falsey
|
||||
end
|
||||
|
||||
it 'should not allow a user to be created with a specific blacklisted subdomain even if the top domain is whitelisted' do
|
||||
old_blacklist = Rails.configuration.x.email_blacklist
|
||||
Rails.configuration.x.email_domains_blacklist = 'blacklisted.mastodon.space'
|
||||
|
||||
user = User.new(email: 'foo@blacklisted.mastodon.space', account: account, password: password)
|
||||
expect(user.valid?).to be_falsey
|
||||
|
||||
Rails.configuration.x.email_domains_blacklist = old_blacklist
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue