Reject reply by email to notification if the from email is not verified

Changelog: fixed

Reject reply by email to notification if the from email is not verified
Changelog: fixed
6c33182c · Sincheol (David) Kim · Sean Arnold · c8780dfb · 6c33182c · 6c33182c
Commit 6c33182c authored Feb 08, 2022 by Sincheol (David) Kim Committed by Sean Arnold Feb 08, 2022
3 changed files
--- a/ee/spec/lib/gitlab/email/handler/create_note_handler_spec.rb
+++ b/ee/spec/lib/gitlab/email/handler/create_note_handler_spec.rb
@@ -9,11 +9,12 @@ RSpec.describe Gitlab::Email::Handler::CreateNoteHandler do
    stub_incoming_email_setting(enabled: true, address: "reply+%{key}@appmail.adventuretime.ooo")
    stub_config_setting(host: 'localhost')
    stub_licensed_features(epics: true)
+    group.add_developer(user)
  end

  let(:email_raw) { fixture_file('emails/valid_reply.eml') }
-  let(:group) { create(:group_with_members) }
-  let(:user) { group.users.first }
+  let(:group) { create(:group) }
+  let(:user) { create(:user, email: 'jake@adventuretime.ooo') }
  let(:noteable) { create(:epic, group: group) }
  let(:note) { create(:note, project: nil, noteable: noteable)}


--- a/lib/gitlab/email/handler/create_note_handler.rb
+++ b/lib/gitlab/email/handler/create_note_handler.rb
@@ -24,6 +24,8 @@ module Gitlab

          validate_permission!(:create_note)

+          validate_from_address!
+
          raise NoteableNotFoundError unless noteable
          raise EmptyEmailError if note_message.blank?

@@ -56,6 +58,17 @@ module Gitlab

          message_with_appended_reply
        end
+
+        def from_address
+          mail.from&.first
+        end
+
+        def validate_from_address!
+          # Recipieint is always set to Support bot for ServiceDesk issues so we should exclude those.
+          return if author == User.support_bot
+
+          raise UserNotFoundError unless from_address && author.verified_email?(from_address)
+        end
      end
    end
  end

--- a/spec/lib/gitlab/email/handler/create_note_handler_spec.rb
+++ b/spec/lib/gitlab/email/handler/create_note_handler_spec.rb
@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::Email::Handler::CreateNoteHandler do
  include_context :email_shared_context

-  let_it_be(:user)      { create(:user) }
+  let_it_be(:user)      { create(:user, email: 'jake@adventuretime.ooo') }
  let_it_be(:project)   { create(:project, :public, :repository) }

  let(:noteable)  { note.noteable }
@@ -39,6 +39,43 @@ RSpec.describe Gitlab::Email::Handler::CreateNoteHandler do
    end
  end

+  context 'when the incoming email is from a different email address' do
+    before do
+      SentNotification.find_by(reply_key: mail_key).update!(recipient: original_recipient)
+    end
+
+    context 'when the issue is not a Service Desk issue' do
+      let(:original_recipient) { create(:user, email: 'john@somethingelse.com') }
+
+      context 'with only one email address' do
+        it 'raises a UserNotFoundError' do
+          expect { receiver.execute }.to raise_error(Gitlab::Email::UserNotFoundError)
+        end
+      end
+
+      context 'with a secondary verified email address' do
+        let(:verified_email) { 'alan@adventuretime.ooo'}
+        let(:email_raw) { fixture_file('emails/valid_reply.eml').gsub('jake@adventuretime.ooo', verified_email) }
+
+        before do
+          create(:email, :confirmed, user: original_recipient, email: verified_email)
+        end
+
+        it 'does not raise a UserNotFoundError' do
+          expect { receiver.execute }.not_to raise_error(Gitlab::Email::UserNotFoundError)
+        end
+      end
+    end
+
+    context 'when the issue is a Service Desk issue' do
+      let(:original_recipient) { User.support_bot }
+
+      it 'does not raise a UserNotFoundError' do
+        expect { receiver.execute }.not_to raise_error(Gitlab::Email::UserNotFoundError)
+      end
+    end
+  end
+
  context 'when no sent notification for the mail key could be found' do
    let(:email_raw) { fixture_file('emails/wrong_mail_key.eml') }