Fix email with empty domain name labels passing validation (#23246)

* Fix email with empty domain name labels passing validation

`EmailMxValidator` would allow empty labels because `Resolv::DNS` is
particularly lenient about them, but the email would be invalid and
unusable.

* Add tests
pull/23220/head
Claire 2023-01-24 20:18:41 +01:00 committed by GitHub
parent dd58db64d8
commit a5a00d7f7a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 29 additions and 0 deletions

View File

@ -10,6 +10,8 @@ class EmailMxValidator < ActiveModel::Validator
if domain.blank? if domain.blank?
user.errors.add(:email, :invalid) user.errors.add(:email, :invalid)
elsif domain.include?('..')
user.errors.add(:email, :invalid)
elsif !on_allowlist?(domain) elsif !on_allowlist?(domain)
resolved_ips, resolved_domains = resolve_mx(domain) resolved_ips, resolved_domains = resolve_mx(domain)

View File

@ -28,6 +28,33 @@ describe EmailMxValidator do
end end
end end
it 'adds no error if there are DNS records for the e-mail domain' do
resolver = double
allow(resolver).to receive(:getresources).with('example.com', Resolv::DNS::Resource::IN::MX).and_return([])
allow(resolver).to receive(:getresources).with('example.com', Resolv::DNS::Resource::IN::A).and_return([Resolv::DNS::Resource::IN::A.new('192.0.2.42')])
allow(resolver).to receive(:getresources).with('example.com', Resolv::DNS::Resource::IN::AAAA).and_return([])
allow(resolver).to receive(:timeouts=).and_return(nil)
allow(Resolv::DNS).to receive(:open).and_yield(resolver)
subject.validate(user)
expect(user.errors).not_to have_received(:add)
end
it 'adds an error if the email domain name contains empty labels' do
resolver = double
allow(resolver).to receive(:getresources).with('example..com', Resolv::DNS::Resource::IN::MX).and_return([])
allow(resolver).to receive(:getresources).with('example..com', Resolv::DNS::Resource::IN::A).and_return([Resolv::DNS::Resource::IN::A.new('192.0.2.42')])
allow(resolver).to receive(:getresources).with('example..com', Resolv::DNS::Resource::IN::AAAA).and_return([])
allow(resolver).to receive(:timeouts=).and_return(nil)
allow(Resolv::DNS).to receive(:open).and_yield(resolver)
user = double(email: 'foo@example..com', sign_up_ip: '1.2.3.4', errors: double(add: nil))
subject.validate(user)
expect(user.errors).to have_received(:add)
end
it 'adds an error if there are no DNS records for the e-mail domain' do it 'adds an error if there are no DNS records for the e-mail domain' do
resolver = double resolver = double