Merge pull request #10065 from mfo/US/secu-email

fix(email.validation): some nasty tests
2024-03-08 09:05:03 +00:00 · 2024-03-08 09:05:03 +00:00 · 0013528deb
commit 0013528deb
parent 1024557081 0ea90e036e
2 changed files with 29 additions and 1 deletions
--- a/spec/models/champs/email_champ_spec.rb
+++ b/spec/models/champs/email_champ_spec.rb
@ -22,11 +22,39 @@ describe Champs::EmailChamp do
      it { is_expected.to be_falsey }
    end

+    context 'when value comes from pentesters with \u0022' do
+      let(:value) { "testing@example.com\u0022onmouseover=uzcc(96363)\u0022" }
+      # what we allowed but it was a mistake
+      it { is_expected.to be_falsey }
+    end
+
+    context 'when value comes from pentesters with script' do
+      let(:value) { "testing@example.com<script>alert('ok')</script>" }
+      # what we allowed but it was a mistake
+      it { is_expected.to be_falsey }
+    end
+
+    context 'when value comes from pentesters with ?' do
+      let(:value) { "testing@example.com?test" }
+      # what we allowed but it was a mistake
+      it { is_expected.to be_falsey }
+    end
+
    context 'when value include an alias' do
      let(:value) { 'username+alias@mailserver.fr' }
      it { is_expected.to be_truthy }
    end

+    context 'when value include an dash in domain' do
+      let(:value) { 'username+alias@demarches-simplifiees.fr' }
+      it { is_expected.to be_truthy }
+    end
+
+    context 'when value include an dash in domain' do
+      let(:value) { 'username+alias@demarches-simplifiees-v2.fr' }
+      it { is_expected.to be_truthy }
+    end
+
    context 'when value includes accents' do
      let(:value) { 'tech@démarches.gouv.fr' }
      it { is_expected.to be_truthy }