From 7177e37b999d0a8b4e0382c193bcb973443a756f Mon Sep 17 00:00:00 2001 From: Guillaume Lo Re Date: Wed, 26 Apr 2017 01:22:51 +0200 Subject: [PATCH] Stricter whitelist rules (#2213) * Stricter whitelist rules * Linting * Added spec for blacklisting * Test subdomain blacklist on domain whitelist * No need to split * Change spec name --- app/validators/email_validator.rb | 4 ++-- spec/models/user_spec.rb | 31 +++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/app/validators/email_validator.rb b/app/validators/email_validator.rb index 06e9375f60..141f209d54 100644 --- a/app/validators/email_validator.rb +++ b/app/validators/email_validator.rb @@ -15,7 +15,7 @@ class EmailValidator < ActiveModel::EachValidator return false if Rails.configuration.x.email_domains_blacklist.blank? domains = Rails.configuration.x.email_domains_blacklist.gsub('.', '\.') - regexp = Regexp.new("@(.+\\.)?(#{domains})", true) + regexp = Regexp.new("@(.+\\.)?(#{domains})", true) value =~ regexp end @@ -24,7 +24,7 @@ class EmailValidator < ActiveModel::EachValidator return false if Rails.configuration.x.email_domains_whitelist.blank? domains = Rails.configuration.x.email_domains_whitelist.gsub('.', '\.') - regexp = Regexp.new("@(.+\\.)?(#{domains})", true) + regexp = Regexp.new("@(.+\\.)?(#{domains})$", true) value !~ regexp end diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 3dd50a7014..a86bf4ece6 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -85,6 +85,16 @@ RSpec.describe User, type: :model do let(:password) { 'abcd1234' } describe 'blacklist' do + around(:each) do |example| + old_blacklist = Rails.configuration.x.email_blacklist + + Rails.configuration.x.email_domains_blacklist = 'mvrht.com' + + example.run + + Rails.configuration.x.email_domains_blacklist = old_blacklist + end + it 'should allow a non-blacklisted user to be created' do user = User.new(email: 'foo@example.com', account: account, password: password) @@ -96,6 +106,12 @@ RSpec.describe User, type: :model do expect(user.valid?).to be_falsey end + + it 'should not allow a subdomain blacklisted user to be created' do + user = User.new(email: 'foo@mvrht.com.topdomain.tld', account: account, password: password) + + expect(user.valid?).to be_falsey + end end describe '#confirmed?' do @@ -130,5 +146,20 @@ RSpec.describe User, type: :model do user = User.new(email: 'foo@mastodon.space', account: account, password: password) expect(user.valid?).to be_truthy end + + it 'should not allow a user with a whitelisted top domain as subdomain in their email address to be created' do + user = User.new(email: 'foo@mastodon.space.userdomain.com', account: account, password: password) + expect(user.valid?).to be_falsey + end + + it 'should not allow a user to be created with a specific blacklisted subdomain even if the top domain is whitelisted' do + old_blacklist = Rails.configuration.x.email_blacklist + Rails.configuration.x.email_domains_blacklist = 'blacklisted.mastodon.space' + + user = User.new(email: 'foo@blacklisted.mastodon.space', account: account, password: password) + expect(user.valid?).to be_falsey + + Rails.configuration.x.email_domains_blacklist = old_blacklist + end end end