From 0ea90e036e01d1832c458ec4a2e0cd05c8e2e658 Mon Sep 17 00:00:00 2001
From: Martin <martin@sharypic.com>
Date: Mon, 4 Mar 2024 17:55:20 +0100
Subject: [PATCH] fix(email.validation): some nasty tests

---
 app/validators/strict_email_validator.rb |  2 +-
 spec/models/champs/email_champ_spec.rb   | 28 ++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/app/validators/strict_email_validator.rb b/app/validators/strict_email_validator.rb
index 093e26b17..ff6b2b019 100644
--- a/app/validators/strict_email_validator.rb
+++ b/app/validators/strict_email_validator.rb
@@ -3,7 +3,7 @@ class StrictEmailValidator < ActiveModel::EachValidator
   #   saying that it's quite permissive
   #   but we want more, we want to ensure it's a domain with extension
   #   so we append \.[A-Za-z]{2,}
-  REGEXP = /\A[^@\s]+@[^@\s\.]+\.[^@\s]{2,}\z/
+  REGEXP = /\A(?<username>[^@[:space:]])+@(?<domain>[^@[:space:]\.])+(?<extensions>\.[[:alnum:].]{2,})\z/
   DATE_SINCE_STRICT_EMAIL_VALIDATION = Date.parse(ENV.fetch('STRICT_EMAIL_VALIDATION_STARTS_ON')) rescue 0
 
   def validate_each(record, attribute, value)
diff --git a/spec/models/champs/email_champ_spec.rb b/spec/models/champs/email_champ_spec.rb
index 87233854b..359b9c0a5 100644
--- a/spec/models/champs/email_champ_spec.rb
+++ b/spec/models/champs/email_champ_spec.rb
@@ -22,11 +22,39 @@ describe Champs::EmailChamp do
       it { is_expected.to be_falsey }
     end
 
+    context 'when value comes from pentesters with \u0022' do
+      let(:value) { "testing@example.com\u0022onmouseover=uzcc(96363)\u0022" }
+      # what we allowed but it was a mistake
+      it { is_expected.to be_falsey }
+    end
+
+    context 'when value comes from pentesters with script' do
+      let(:value) { "testing@example.com<script>alert('ok')</script>" }
+      # what we allowed but it was a mistake
+      it { is_expected.to be_falsey }
+    end
+
+    context 'when value comes from pentesters with ?' do
+      let(:value) { "testing@example.com?test" }
+      # what we allowed but it was a mistake
+      it { is_expected.to be_falsey }
+    end
+
     context 'when value include an alias' do
       let(:value) { 'username+alias@mailserver.fr' }
       it { is_expected.to be_truthy }
     end
 
+    context 'when value include an dash in domain' do
+      let(:value) { 'username+alias@demarches-simplifiees.fr' }
+      it { is_expected.to be_truthy }
+    end
+
+    context 'when value include an dash in domain' do
+      let(:value) { 'username+alias@demarches-simplifiees-v2.fr' }
+      it { is_expected.to be_truthy }
+    end
+
     context 'when value includes accents' do
       let(:value) { 'tech@démarches.gouv.fr' }
       it { is_expected.to be_truthy }