From 62ea382247c1f87361d186392c45ca74c83be295 Mon Sep 17 00:00:00 2001 From: Penar Musaraj Date: Mon, 19 Feb 2024 16:34:40 -0500 Subject: [PATCH] SECURITY: Limit invites params length --- app/models/invite.rb | 5 ++- config/locales/server.en.yml | 1 + spec/requests/invites_controller_spec.rb | 52 ++++++++++++++++++++++++ 3 files changed, 56 insertions(+), 2 deletions(-) diff --git a/app/models/invite.rb b/app/models/invite.rb index e0bd78ad6ff..2aa7c91f6fd 100644 --- a/app/models/invite.rb +++ b/app/models/invite.rb @@ -32,8 +32,9 @@ class Invite < ActiveRecord::Base has_many :topics, through: :topic_invites, source: :topic validates_presence_of :invited_by_id - validates :email, email: true, allow_blank: true + validates :email, email: true, allow_blank: true, length: { maximum: 500 } validates :custom_message, length: { maximum: 1000 } + validates :domain, length: { maximum: 500 } validate :ensure_max_redemptions_allowed validate :valid_redemption_count validate :valid_domain, if: :will_save_change_to_domain? @@ -350,7 +351,7 @@ class Invite < ActiveRecord::Base self.domain.downcase! if self.domain !~ Invite::DOMAIN_REGEX - self.errors.add(:base, I18n.t("invite.domain_not_allowed")) + self.errors.add(:base, I18n.t("invite.domain_not_allowed_admin")) end end diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index 3a815f4d86d..3cd66cc11de 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -342,6 +342,7 @@ en: requires_groups: "Invite was not saved because the specified topic is inaccessible. Add one of the following groups: %{groups}." max_invite_emails_limit_exceeded: "Request failed because number of emails exceeded the maximum (%{max})." domain_not_allowed: "Your email cannot be used to redeem this invite." + domain_not_allowed_admin: "This domain cannot be used for invites." max_redemptions_allowed_one: "for email invites should be 1." redemption_count_less_than_max: "should be less than %{max_redemptions_allowed}." email_xor_domain: "Email and domain fields are not allowed at the same time" diff --git a/spec/requests/invites_controller_spec.rb b/spec/requests/invites_controller_spec.rb index 534d11354d1..2fd40b192de 100644 --- a/spec/requests/invites_controller_spec.rb +++ b/spec/requests/invites_controller_spec.rb @@ -433,6 +433,18 @@ RSpec.describe InvitesController do end end + context "when email address is too long" do + let(:email) { "a" * 495 + "@example.com" } + + it "fails" do + create_invite + expect(response).to have_http_status :unprocessable_entity + expect(response.parsed_body["errors"]).to be_present + error_message = response.parsed_body["errors"].first + expect(error_message).to eq("Email is too long (maximum is 500 characters)") + end + end + context "when providing an email belonging to an existing user" do let(:email) { user.email } @@ -460,6 +472,46 @@ RSpec.describe InvitesController do end end + context "with domain invite" do + it "works" do + sign_in(admin) + + post "/invites.json", params: { domain: "example.com" } + expect(response).to have_http_status :ok + end + + it "fails when domain is invalid" do + sign_in(admin) + + post "/invites.json", params: { domain: "example" } + + expect(response).to have_http_status :unprocessable_entity + + error_message = response.parsed_body["errors"].first + expect(error_message).to eq(I18n.t("invite.domain_not_allowed_admin")) + end + + it "fails when domain is too long" do + sign_in(admin) + + post "/invites.json", params: { domain: "a" * 500 + ".ca" } + expect(response).to have_http_status :unprocessable_entity + + error_message = response.parsed_body["errors"].first + expect(error_message).to eq("Domain is too long (maximum is 500 characters)") + end + + it "fails when custom message is too long" do + sign_in(admin) + + post "/invites.json", params: { custom_message: "b" * 1001, domain: "example.com" } + expect(response).to have_http_status :unprocessable_entity + + error_message = response.parsed_body["errors"].first + expect(error_message).to eq("Custom message is too long (maximum is 1000 characters)") + end + end + context "with link invite" do it "works" do sign_in(admin)