mirror of
https://github.com/discourse/discourse.git
synced 2024-12-05 04:13:41 +08:00
SECURITY: Prevent abuse of the update_activation_email route (stable)
This commit is contained in:
Roman Rizzi
OsamaSayegh
parent
7af25544c3
commit
af1cb735db
|
|
@ -1062,10 +1062,12 @@ class UsersController < ApplicationController
|
||||||
RateLimiter.new(nil, "activate-edit-email-hr-#{request.remote_ip}", 5, 1.hour).performed!
|
RateLimiter.new(nil, "activate-edit-email-hr-#{request.remote_ip}", 5, 1.hour).performed!
|
||||||
|
|
||||||
if params[:username].present?
|
if params[:username].present?
|
||||||
|
RateLimiter.new(nil, "activate-edit-email-hr-username-#{params[:username]}", 5, 1.hour).performed!
|
||||||
@user = User.find_by_username_or_email(params[:username])
|
@user = User.find_by_username_or_email(params[:username])
|
||||||
raise Discourse::InvalidAccess.new unless @user.present?
|
raise Discourse::InvalidAccess.new unless @user.present?
|
||||||
raise Discourse::InvalidAccess.new unless @user.confirm_password?(params[:password])
|
raise Discourse::InvalidAccess.new unless @user.confirm_password?(params[:password])
|
||||||
elsif user_key = session[SessionController::ACTIVATE_USER_KEY]
|
elsif user_key = session[SessionController::ACTIVATE_USER_KEY]
|
||||||
|
RateLimiter.new(nil, "activate-edit-email-hr-user-key-#{user_key}", 5, 1.hour).performed!
|
||||||
@user = User.where(id: user_key.to_i).first
|
@user = User.where(id: user_key.to_i).first
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3442,6 +3442,23 @@ describe UsersController do
|
||||||
token.reload
|
token.reload
|
||||||
expect(token.expired?).to eq(true)
|
expect(token.expired?).to eq(true)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'tells the user to slow down after many requests' do
|
||||||
|
RateLimiter.enable
|
||||||
|
RateLimiter.clear_all!
|
||||||
|
freeze_time
|
||||||
|
|
||||||
|
user = post_user
|
||||||
|
token = user.email_tokens.first
|
||||||
|
|
||||||
|
6.times do |n|
|
||||||
|
put "/u/update-activation-email.json", params: {
|
||||||
|
email: "updatedemail#{n}@example.com"
|
||||||
|
}, env: { "REMOTE_ADDR": "1.2.3.#{n}" }
|
||||||
|
end
|
||||||
|
|
||||||
|
expect(response.status).to eq(429)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context "with a username and password" do
|
context "with a username and password" do
|
||||||
|
|
@ -3516,6 +3533,25 @@ describe UsersController do
|
||||||
token.reload
|
token.reload
|
||||||
expect(token.expired?).to eq(true)
|
expect(token.expired?).to eq(true)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'tells the user to slow down after many requests' do
|
||||||
|
RateLimiter.enable
|
||||||
|
RateLimiter.clear_all!
|
||||||
|
freeze_time
|
||||||
|
|
||||||
|
user = inactive_user
|
||||||
|
token = user.email_tokens.first
|
||||||
|
|
||||||
|
6.times do |n|
|
||||||
|
put "/u/update-activation-email.json", params: {
|
||||||
|
username: user.username,
|
||||||
|
password: 'qwerqwer123',
|
||||||
|
email: "updatedemail#{n}@example.com"
|
||||||
|
}, env: { "REMOTE_ADDR": "1.2.3.#{n}" }
|
||||||
|
end
|
||||||
|
|
||||||
|
expect(response.status).to eq(429)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user