commit: 7177e37b999d0a8b4e0382c193bcb973443a756f
parent: fbc509940266dc9de1a197e2261608257396b5a7
Author: Guillaume Lo Re <lowreg@gmail.com>
Date: Wed, 26 Apr 2017 01:22:51 +0200
Stricter whitelist rules (#2213)
* Stricter whitelist rules
* Linting
* Added spec for blacklisting
* Test subdomain blacklist on domain whitelist
* No need to split
* Change spec name
Diffstat:
2 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/app/validators/email_validator.rb b/app/validators/email_validator.rb
@@ -15,7 +15,7 @@ class EmailValidator < ActiveModel::EachValidator
return false if Rails.configuration.x.email_domains_blacklist.blank?
domains = Rails.configuration.x.email_domains_blacklist.gsub('.', '\.')
- regexp = Regexp.new("@(.+\\.)?(#{domains})", true)
+ regexp = Regexp.new("@(.+\\.)?(#{domains})", true)
value =~ regexp
end
@@ -24,7 +24,7 @@ class EmailValidator < ActiveModel::EachValidator
return false if Rails.configuration.x.email_domains_whitelist.blank?
domains = Rails.configuration.x.email_domains_whitelist.gsub('.', '\.')
- regexp = Regexp.new("@(.+\\.)?(#{domains})", true)
+ regexp = Regexp.new("@(.+\\.)?(#{domains})$", true)
value !~ regexp
end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
@@ -85,6 +85,16 @@ RSpec.describe User, type: :model do
let(:password) { 'abcd1234' }
describe 'blacklist' do
+ around(:each) do |example|
+ old_blacklist = Rails.configuration.x.email_blacklist
+
+ Rails.configuration.x.email_domains_blacklist = 'mvrht.com'
+
+ example.run
+
+ Rails.configuration.x.email_domains_blacklist = old_blacklist
+ end
+
it 'should allow a non-blacklisted user to be created' do
user = User.new(email: 'foo@example.com', account: account, password: password)
@@ -96,6 +106,12 @@ RSpec.describe User, type: :model do
expect(user.valid?).to be_falsey
end
+
+ it 'should not allow a subdomain blacklisted user to be created' do
+ user = User.new(email: 'foo@mvrht.com.topdomain.tld', account: account, password: password)
+
+ expect(user.valid?).to be_falsey
+ end
end
describe '#confirmed?' do
@@ -130,5 +146,20 @@ RSpec.describe User, type: :model do
user = User.new(email: 'foo@mastodon.space', account: account, password: password)
expect(user.valid?).to be_truthy
end
+
+ it 'should not allow a user with a whitelisted top domain as subdomain in their email address to be created' do
+ user = User.new(email: 'foo@mastodon.space.userdomain.com', account: account, password: password)
+ expect(user.valid?).to be_falsey
+ end
+
+ it 'should not allow a user to be created with a specific blacklisted subdomain even if the top domain is whitelisted' do
+ old_blacklist = Rails.configuration.x.email_blacklist
+ Rails.configuration.x.email_domains_blacklist = 'blacklisted.mastodon.space'
+
+ user = User.new(email: 'foo@blacklisted.mastodon.space', account: account, password: password)
+ expect(user.valid?).to be_falsey
+
+ Rails.configuration.x.email_domains_blacklist = old_blacklist
+ end
end
end