Stricter whitelist rules (#2213)

* Stricter whitelist rules * Linting * Added spec for blacklisting * Test subdomain blacklist on domain whitelist * No need to split * Change spec name

Stricter whitelist rules (#2213)
* Stricter whitelist rules * Linting * Added spec for blacklisting * Test subdomain blacklist on domain whitelist * No need to split * Change spec name
7177e37b · Guillaume Lo Re · Eugen Rochko · fbc50994 · 7177e37b · 7177e37b
Commit 7177e37b authored 7 years ago by Guillaume Lo Re Committed by Eugen Rochko 7 years ago
--- a/app/validators/email_validator.rb
+++ b/app/validators/email_validator.rb
@@ -15,7 +15,7 @@ class EmailValidator < ActiveModel::EachValidator
    return false if Rails.configuration.x.email_domains_blacklist.blank?

    domains = Rails.configuration.x.email_domains_blacklist.gsub('.', '\.')
-    regexp  = Regexp.new("@(.+\\.)?(#{domains})", true)
+    regexp = Regexp.new("@(.+\\.)?(#{domains})", true)

    value =~ regexp
  end
@@ -24,7 +24,7 @@ class EmailValidator < ActiveModel::EachValidator
    return false if Rails.configuration.x.email_domains_whitelist.blank?

    domains = Rails.configuration.x.email_domains_whitelist.gsub('.', '\.')
-    regexp  = Regexp.new("@(.+\\.)?(#{domains})", true)
+    regexp = Regexp.new("@(.+\\.)?(#{domains})$", true)

    value !~ regexp
  end

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -85,6 +85,16 @@ RSpec.describe User, type: :model do
  let(:password) { 'abcd1234' }

  describe 'blacklist' do
+    around(:each) do |example|
+      old_blacklist = Rails.configuration.x.email_blacklist
+
+      Rails.configuration.x.email_domains_blacklist = 'mvrht.com'
+
+      example.run
+
+      Rails.configuration.x.email_domains_blacklist = old_blacklist
+    end
+
    it 'should allow a non-blacklisted user to be created' do
      user = User.new(email: 'foo@example.com', account: account, password: password)

@@ -96,6 +106,12 @@ RSpec.describe User, type: :model do

      expect(user.valid?).to be_falsey
    end
+
+    it 'should not allow a subdomain blacklisted user to be created' do
+      user = User.new(email: 'foo@mvrht.com.topdomain.tld', account: account, password: password)
+
+      expect(user.valid?).to be_falsey
+    end
  end

  describe '#confirmed?' do
@@ -130,5 +146,20 @@ RSpec.describe User, type: :model do
      user = User.new(email: 'foo@mastodon.space', account: account, password: password)
      expect(user.valid?).to be_truthy
    end
+
+    it 'should not allow a user with a whitelisted top domain as subdomain in their email address to be created' do
+      user = User.new(email: 'foo@mastodon.space.userdomain.com', account: account, password: password)
+      expect(user.valid?).to be_falsey
+    end
+
+    it 'should not allow a user to be created with a specific blacklisted subdomain even if the top domain is whitelisted' do
+      old_blacklist = Rails.configuration.x.email_blacklist
+      Rails.configuration.x.email_domains_blacklist = 'blacklisted.mastodon.space'
+
+      user = User.new(email: 'foo@blacklisted.mastodon.space', account: account, password: password)
+      expect(user.valid?).to be_falsey
+
+      Rails.configuration.x.email_domains_blacklist = old_blacklist
+    end
  end
 end