SECURITY: Limit email invitations to topic

2025-02-06 03:18:23 +00:00 · 2022-08-10 15:39:26 +10:00 · 2022-08-10 15:39:26 +10:00 · 4fcffd3fae
commit 4fcffd3fae
parent 7b8f74439e
2 changed files with 20 additions and 0 deletions
--- a/app/models/invite.rb
+++ b/app/models/invite.rb
@ -115,6 +115,8 @@ class Invite < ActiveRecord::Base
        invite.destroy
        invite = nil
      end
+      email_digest = Digest::SHA256.hexdigest(email)
+      RateLimiter.new(invited_by, "reinvites-per-day-#{email_digest}", 3, 1.day.to_i).performed!
    end

    emailed_status = if opts[:skip_email] || invite&.emailed_status == emailed_status_types[:not_required]
--- a/spec/models/invite_spec.rb
+++ b/spec/models/invite_spec.rb
@ -181,6 +181,24 @@ describe Invite do

        expect(invite.invite_key).not_to eq(another_invite.invite_key)
      end
+
+      context "when email is already invited 3 times" do
+        before do
+          RateLimiter.enable
+          3.times do
+            Invite.generate(user, email: "test@example.com")
+          end
+        end
+
+        after do
+          RateLimiter.clear_all!
+        end
+
+        it "raises an error" do
+          expect { Invite.generate(user, email: "test@example.com") }
+            .to raise_error(RateLimiter::LimitExceeded)
+        end
+      end
    end

    context 'invite to a topic' do