DGNum/demarches-normaliennes
13
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Merge pull request #10049 from colinux/fix-params-i18n-sanitization

Browse source 
Tech: chiffre le param email réaffiché dans la vue pour éviter de construire des pages de phishing
This commit is contained in:
mfo 2024-02-28 14:17:47 +01:00 committed by GitHub
commit 43a9ee0ca4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 32 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

7
app/controllers/application_controller.rb
View file

@ -117,6 +117,10 @@ class ApplicationController < ActionController::Base
"window.location.href='#{path}'"
end
def message_verifier
@message_verifier ||= ActiveSupport::MessageVerifier.new(Rails.application.secret_key_base)
end
protected
def feature_enabled?(feature_name)
@ -282,7 +286,8 @@ class ApplicationController < ActionController::Base
end
send_login_token_or_bufferize(current_instructeur)
redirect_to link_sent_path(email: current_instructeur.email)
signed_email = message_verifier.generate(current_instructeur.email, purpose: :reset_link, expires_in: 1.hour)
redirect_to link_sent_path(email: signed_email)
end
end

5
app/controllers/users/passwords_controller.rb
View file

@ -26,7 +26,7 @@ class Users::PasswordsController < Devise::PasswordsController
# end
def reset_link_sent
@email = params[:email]
@email = message_verifier.verify(params[:email], purpose: :reset_password) rescue nil
end
protected
@ -37,7 +37,8 @@ class Users::PasswordsController < Devise::PasswordsController
def after_sending_reset_password_instructions_path_for(resource_name)
flash.discard(:notice)
users_password_reset_link_sent_path(email: resource.email)
signed_email = message_verifier.generate(resource.email, purpose: :reset_password, expires_in: 1.hour)
users_password_reset_link_sent_path(email: signed_email)
end
def try_to_authenticate_instructeur

10
app/controllers/users/sessions_controller.rb
View file

@ -25,12 +25,16 @@ class Users::SessionsController < Devise::SessionsController
if send_login_token_or_bufferize(current_instructeur)
flash[:notice] = "Nous venons de vous renvoyer un nouveau lien de connexion sécurisée à #{APPLICATION_NAME}"
end
redirect_to link_sent_path(email: current_instructeur.email)
signed_email = message_verifier.generate(current_instructeur.email, purpose: :reset_link, expires_in: 1.hour)
redirect_to link_sent_path(email: signed_email)
end
def link_sent
if StrictEmailValidator::REGEXP.match?(params[:email])
@email = params[:email]
email = message_verifier.verify(params[:email], purpose: :reset_link) rescue nil
if StrictEmailValidator::REGEXP.match?(email)
@email = email
else
redirect_to root_path
end