Commit c7581aa0 authored by Thong Kuah's avatar Thong Kuah

Assert user domain restrictions not vulnerable

Add a test case to assert that a potentially bad regex doesn't cause the
process to hang.

See
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
alsp for details.
parent b550069c
...@@ -303,6 +303,20 @@ describe User, :do_not_mock_admin_mode do ...@@ -303,6 +303,20 @@ describe User, :do_not_mock_admin_mode do
end end
end end
context 'bad regex' do
before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['([a-zA-Z0-9]+)+\.com'])
end
it 'does not hang on evil input' do
user = build(:user, email: 'user@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!.com')
expect do
Timeout.timeout(2.seconds) { user.valid? }
end.not_to raise_error
end
end
context 'when a signup domain is whitelisted and subdomains are allowed' do context 'when a signup domain is whitelisted and subdomains are allowed' do
before do before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['example.com', '*.example.com']) allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['example.com', '*.example.com'])
...@@ -356,6 +370,20 @@ describe User, :do_not_mock_admin_mode do ...@@ -356,6 +370,20 @@ describe User, :do_not_mock_admin_mode do
allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['example.com']) allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['example.com'])
end end
context 'bad regex' do
before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['([a-zA-Z0-9]+)+\.com'])
end
it 'does not hang on evil input' do
user = build(:user, email: 'user@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!.com')
expect do
Timeout.timeout(2.seconds) { user.valid? }
end.not_to raise_error
end
end
context 'when a signup domain is blacklisted' do context 'when a signup domain is blacklisted' do
it 'accepts info@test.com' do it 'accepts info@test.com' do
user = build(:user, email: 'info@test.com') user = build(:user, email: 'info@test.com')
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment