SECURITY: Limit invites params length
This commit is contained in:
parent
8cade1e825
commit
62ea382247
|
@ -32,8 +32,9 @@ class Invite < ActiveRecord::Base
|
|||
has_many :topics, through: :topic_invites, source: :topic
|
||||
|
||||
validates_presence_of :invited_by_id
|
||||
validates :email, email: true, allow_blank: true
|
||||
validates :email, email: true, allow_blank: true, length: { maximum: 500 }
|
||||
validates :custom_message, length: { maximum: 1000 }
|
||||
validates :domain, length: { maximum: 500 }
|
||||
validate :ensure_max_redemptions_allowed
|
||||
validate :valid_redemption_count
|
||||
validate :valid_domain, if: :will_save_change_to_domain?
|
||||
|
@ -350,7 +351,7 @@ class Invite < ActiveRecord::Base
|
|||
self.domain.downcase!
|
||||
|
||||
if self.domain !~ Invite::DOMAIN_REGEX
|
||||
self.errors.add(:base, I18n.t("invite.domain_not_allowed"))
|
||||
self.errors.add(:base, I18n.t("invite.domain_not_allowed_admin"))
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -342,6 +342,7 @@ en:
|
|||
requires_groups: "Invite was not saved because the specified topic is inaccessible. Add one of the following groups: %{groups}."
|
||||
max_invite_emails_limit_exceeded: "Request failed because number of emails exceeded the maximum (%{max})."
|
||||
domain_not_allowed: "Your email cannot be used to redeem this invite."
|
||||
domain_not_allowed_admin: "This domain cannot be used for invites."
|
||||
max_redemptions_allowed_one: "for email invites should be 1."
|
||||
redemption_count_less_than_max: "should be less than %{max_redemptions_allowed}."
|
||||
email_xor_domain: "Email and domain fields are not allowed at the same time"
|
||||
|
|
|
@ -433,6 +433,18 @@ RSpec.describe InvitesController do
|
|||
end
|
||||
end
|
||||
|
||||
context "when email address is too long" do
|
||||
let(:email) { "a" * 495 + "@example.com" }
|
||||
|
||||
it "fails" do
|
||||
create_invite
|
||||
expect(response).to have_http_status :unprocessable_entity
|
||||
expect(response.parsed_body["errors"]).to be_present
|
||||
error_message = response.parsed_body["errors"].first
|
||||
expect(error_message).to eq("Email is too long (maximum is 500 characters)")
|
||||
end
|
||||
end
|
||||
|
||||
context "when providing an email belonging to an existing user" do
|
||||
let(:email) { user.email }
|
||||
|
||||
|
@ -460,6 +472,46 @@ RSpec.describe InvitesController do
|
|||
end
|
||||
end
|
||||
|
||||
context "with domain invite" do
|
||||
it "works" do
|
||||
sign_in(admin)
|
||||
|
||||
post "/invites.json", params: { domain: "example.com" }
|
||||
expect(response).to have_http_status :ok
|
||||
end
|
||||
|
||||
it "fails when domain is invalid" do
|
||||
sign_in(admin)
|
||||
|
||||
post "/invites.json", params: { domain: "example" }
|
||||
|
||||
expect(response).to have_http_status :unprocessable_entity
|
||||
|
||||
error_message = response.parsed_body["errors"].first
|
||||
expect(error_message).to eq(I18n.t("invite.domain_not_allowed_admin"))
|
||||
end
|
||||
|
||||
it "fails when domain is too long" do
|
||||
sign_in(admin)
|
||||
|
||||
post "/invites.json", params: { domain: "a" * 500 + ".ca" }
|
||||
expect(response).to have_http_status :unprocessable_entity
|
||||
|
||||
error_message = response.parsed_body["errors"].first
|
||||
expect(error_message).to eq("Domain is too long (maximum is 500 characters)")
|
||||
end
|
||||
|
||||
it "fails when custom message is too long" do
|
||||
sign_in(admin)
|
||||
|
||||
post "/invites.json", params: { custom_message: "b" * 1001, domain: "example.com" }
|
||||
expect(response).to have_http_status :unprocessable_entity
|
||||
|
||||
error_message = response.parsed_body["errors"].first
|
||||
expect(error_message).to eq("Custom message is too long (maximum is 1000 characters)")
|
||||
end
|
||||
end
|
||||
|
||||
context "with link invite" do
|
||||
it "works" do
|
||||
sign_in(admin)
|
||||
|
|
Loading…
Reference in New Issue