DGNum/demarches-normaliennes
15
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Merge pull request #10065 from mfo/US/secu-email

Browse source 
fix(email.validation): some nasty tests
This commit is contained in:
mfo 2024-03-08 09:05:03 +00:00 committed by GitHub
commit 0013528deb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 29 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/validators/strict_email_validator.rb
View file

@ -3,7 +3,7 @@ class StrictEmailValidator < ActiveModel::EachValidator
# saying that it's quite permissive # saying that it's quite permissive
# but we want more, we want to ensure it's a domain with extension # but we want more, we want to ensure it's a domain with extension
# so we append \.[A-Za-z]{2,} # so we append \.[A-Za-z]{2,}
REGEXP = /\A[^@\s]+@[^@\s\.]+\.[^@\s]{2,}\z/ REGEXP = /\A(?<username>[^@[:space:]])+@(?<domain>[^@[:space:]\.])+(?<extensions>\.[[:alnum:].]{2,})\z/
DATE_SINCE_STRICT_EMAIL_VALIDATION = Date.parse(ENV.fetch('STRICT_EMAIL_VALIDATION_STARTS_ON')) rescue 0 DATE_SINCE_STRICT_EMAIL_VALIDATION = Date.parse(ENV.fetch('STRICT_EMAIL_VALIDATION_STARTS_ON')) rescue 0
def validate_each(record, attribute, value) def validate_each(record, attribute, value)

28
spec/models/champs/email_champ_spec.rb
View file

@ -22,11 +22,39 @@ describe Champs::EmailChamp do
it { is_expected.to be_falsey } it { is_expected.to be_falsey }
end end
context 'when value comes from pentesters with \u0022' do
let(:value) { "testing@example.com\u0022onmouseover=uzcc(96363)\u0022" }
# what we allowed but it was a mistake
it { is_expected.to be_falsey }
end
context 'when value comes from pentesters with script' do
let(:value) { "testing@example.com<script>alert('ok')</script>" }
# what we allowed but it was a mistake
it { is_expected.to be_falsey }
end
context 'when value comes from pentesters with ?' do
let(:value) { "testing@example.com?test" }
# what we allowed but it was a mistake
it { is_expected.to be_falsey }
end
context 'when value include an alias' do context 'when value include an alias' do
let(:value) { 'username+alias@mailserver.fr' } let(:value) { 'username+alias@mailserver.fr' }
it { is_expected.to be_truthy } it { is_expected.to be_truthy }
end end
context 'when value include an dash in domain' do
let(:value) { 'username+alias@demarches-simplifiees.fr' }
it { is_expected.to be_truthy }
end
context 'when value include an dash in domain' do
let(:value) { 'username+alias@demarches-simplifiees-v2.fr' }
it { is_expected.to be_truthy }
end
context 'when value includes accents' do context 'when value includes accents' do
let(:value) { 'tech@démarches.gouv.fr' } let(:value) { 'tech@démarches.gouv.fr' }
it { is_expected.to be_truthy } it { is_expected.to be_truthy }