Merge pull request #10065 from mfo/US/secu-email

fix(email.validation): some nasty tests
2024-03-08 09:05:03 +00:00 · 2024-03-08 09:05:03 +00:00 · 0013528deb
commit 0013528deb
parent 1024557081 0ea90e036e
2 changed files with 29 additions and 1 deletions
--- a/app/validators/strict_email_validator.rb
+++ b/app/validators/strict_email_validator.rb
@ -3,7 +3,7 @@ class StrictEmailValidator < ActiveModel::EachValidator
  #   saying that it's quite permissive
  #   but we want more, we want to ensure it's a domain with extension
  #   so we append \.[A-Za-z]{2,}
-  REGEXP = /\A[^@\s]+@[^@\s\.]+\.[^@\s]{2,}\z/
+  REGEXP = /\A(?<username>[^@[:space:]])+@(?<domain>[^@[:space:]\.])+(?<extensions>\.[[:alnum:].]{2,})\z/
  DATE_SINCE_STRICT_EMAIL_VALIDATION = Date.parse(ENV.fetch('STRICT_EMAIL_VALIDATION_STARTS_ON')) rescue 0

  def validate_each(record, attribute, value)
--- a/spec/models/champs/email_champ_spec.rb
+++ b/spec/models/champs/email_champ_spec.rb
@ -22,11 +22,39 @@ describe Champs::EmailChamp do
      it { is_expected.to be_falsey }
    end

+    context 'when value comes from pentesters with \u0022' do
+      let(:value) { "testing@example.com\u0022onmouseover=uzcc(96363)\u0022" }
+      # what we allowed but it was a mistake
+      it { is_expected.to be_falsey }
+    end
+
+    context 'when value comes from pentesters with script' do
+      let(:value) { "testing@example.com<script>alert('ok')</script>" }
+      # what we allowed but it was a mistake
+      it { is_expected.to be_falsey }
+    end
+
+    context 'when value comes from pentesters with ?' do
+      let(:value) { "testing@example.com?test" }
+      # what we allowed but it was a mistake
+      it { is_expected.to be_falsey }
+    end
+
    context 'when value include an alias' do
      let(:value) { 'username+alias@mailserver.fr' }
      it { is_expected.to be_truthy }
    end

+    context 'when value include an dash in domain' do
+      let(:value) { 'username+alias@demarches-simplifiees.fr' }
+      it { is_expected.to be_truthy }
+    end
+
+    context 'when value include an dash in domain' do
+      let(:value) { 'username+alias@demarches-simplifiees-v2.fr' }
+      it { is_expected.to be_truthy }
+    end
+
    context 'when value includes accents' do
      let(:value) { 'tech@démarches.gouv.fr' }
      it { is_expected.to be_truthy }