SECURITY: Prevent abuse of the update_activation_email route (stable)

2024-12-04 04:06:28 +08:00 · 2022-07-27 17:04:42 -03:00 · 2022-07-27 17:04:42 -03:00 · af1cb735db
commit af1cb735db
parent 7af25544c3
2 changed files with 38 additions and 0 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -1062,10 +1062,12 @@ class UsersController < ApplicationController
    RateLimiter.new(nil, "activate-edit-email-hr-#{request.remote_ip}", 5, 1.hour).performed!

    if params[:username].present?
+      RateLimiter.new(nil, "activate-edit-email-hr-username-#{params[:username]}", 5, 1.hour).performed!
      @user = User.find_by_username_or_email(params[:username])
      raise Discourse::InvalidAccess.new unless @user.present?
      raise Discourse::InvalidAccess.new unless @user.confirm_password?(params[:password])
    elsif user_key = session[SessionController::ACTIVATE_USER_KEY]
+      RateLimiter.new(nil, "activate-edit-email-hr-user-key-#{user_key}", 5, 1.hour).performed!
      @user = User.where(id: user_key.to_i).first
    end

--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@ -3442,6 +3442,23 @@ describe UsersController do
        token.reload
        expect(token.expired?).to eq(true)
      end
+
+      it 'tells the user to slow down after many requests' do
+        RateLimiter.enable
+        RateLimiter.clear_all!
+        freeze_time
+
+        user = post_user
+        token = user.email_tokens.first
+
+        6.times do |n|
+          put "/u/update-activation-email.json", params: {
+            email: "updatedemail#{n}@example.com"
+          }, env: { "REMOTE_ADDR": "1.2.3.#{n}" }
+        end
+
+        expect(response.status).to eq(429)
+      end
    end

    context "with a username and password" do
@ -3516,6 +3533,25 @@ describe UsersController do
        token.reload
        expect(token.expired?).to eq(true)
      end
+
+      it 'tells the user to slow down after many requests' do
+        RateLimiter.enable
+        RateLimiter.clear_all!
+        freeze_time
+
+        user = inactive_user
+        token = user.email_tokens.first
+
+        6.times do |n|
+          put "/u/update-activation-email.json", params: {
+            username: user.username,
+            password: 'qwerqwer123',
+            email: "updatedemail#{n}@example.com"
+          }, env: { "REMOTE_ADDR": "1.2.3.#{n}" }
+        end
+
+        expect(response.status).to eq(429)
+      end
    end
  end