From b2162eb3e0e99c56a40023e9c7c2e400cfc0ceda Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Wed, 30 Aug 2023 05:01:55 +0000 Subject: [PATCH 1/3] check blocklist for emails when adding them to account --- models/user/email_address.go | 14 ++++++++++++-- modules/validation/helpers.go | 25 +++++++++++++++++++++++++ services/forms/user_form.go | 29 +++-------------------------- 3 files changed, 40 insertions(+), 28 deletions(-) diff --git a/models/user/email_address.go b/models/user/email_address.go index e310858f92ee9..6ae1e27775c46 100644 --- a/models/user/email_address.go +++ b/models/user/email_address.go @@ -16,6 +16,7 @@ import ( "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/util" + "code.gitea.io/gitea/modules/validation" "xorm.io/builder" ) @@ -157,11 +158,20 @@ func ValidateEmail(email string) error { return ErrEmailInvalid{email} } - if _, err := mail.ParseAddress(email); err != nil { + mail, err := mail.ParseAddress(email) + if err != nil { + return ErrEmailInvalid{email} + } + + // if there is no allow list, then check email against block list + if len(setting.Service.EmailDomainAllowList) == 0 && validation.IsEmailDomainListed(setting.Service.EmailDomainBlockList, mail.Address) { return ErrEmailInvalid{email} } - // TODO: add an email allow/block list + // check email address against allow list + if !validation.IsEmailDomainListed(setting.Service.EmailDomainAllowList, mail.Address) { + return ErrEmailInvalid{email} + } return nil } diff --git a/modules/validation/helpers.go b/modules/validation/helpers.go index 3381846b863f5..f6e00f3887a43 100644 --- a/modules/validation/helpers.go +++ b/modules/validation/helpers.go @@ -10,6 +10,8 @@ import ( "strings" "code.gitea.io/gitea/modules/setting" + + "github.com/gobwas/glob" ) var externalTrackerRegex = regexp.MustCompile(`({?)(?:user|repo|index)+?(}?)`) @@ -48,6 +50,29 @@ func IsValidSiteURL(uri string) bool { return false } +// IsEmailDomainListed checks whether the domain of an email address +// matches a list of domains +func IsEmailDomainListed(globs []glob.Glob, email string) bool { + if len(globs) == 0 { + return false + } + + n := strings.LastIndex(email, "@") + if n <= 0 { + return false + } + + domain := strings.ToLower(email[n+1:]) + + for _, g := range globs { + if g.Match(domain) { + return true + } + } + + return false +} + // IsAPIURL checks if URL is current Gitea instance API URL func IsAPIURL(uri string) bool { return strings.HasPrefix(strings.ToLower(uri), strings.ToLower(setting.AppURL+"api")) diff --git a/services/forms/user_form.go b/services/forms/user_form.go index 1f5abf94ee129..c0eb03f554761 100644 --- a/services/forms/user_form.go +++ b/services/forms/user_form.go @@ -13,10 +13,10 @@ import ( "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/structs" + "code.gitea.io/gitea/modules/validation" "code.gitea.io/gitea/modules/web/middleware" "gitea.com/go-chi/binding" - "github.com/gobwas/glob" ) // InstallForm form for installation page @@ -103,29 +103,6 @@ func (f *RegisterForm) Validate(req *http.Request, errs binding.Errors) binding. return middleware.Validate(errs, ctx.Data, f, ctx.Locale) } -// IsEmailDomainListed checks whether the domain of an email address -// matches a list of domains -func IsEmailDomainListed(globs []glob.Glob, email string) bool { - if len(globs) == 0 { - return false - } - - n := strings.LastIndex(email, "@") - if n <= 0 { - return false - } - - domain := strings.ToLower(email[n+1:]) - - for _, g := range globs { - if g.Match(domain) { - return true - } - } - - return false -} - // IsEmailDomainAllowed validates that the email address // provided by the user matches what has been configured . // The email is marked as allowed if it matches any of the @@ -133,10 +110,10 @@ func IsEmailDomainListed(globs []glob.Glob, email string) bool { // domains in the blocklist, if any such list is not empty. func (f *RegisterForm) IsEmailDomainAllowed() bool { if len(setting.Service.EmailDomainAllowList) == 0 { - return !IsEmailDomainListed(setting.Service.EmailDomainBlockList, f.Email) + return !validation.IsEmailDomainListed(setting.Service.EmailDomainBlockList, f.Email) } - return IsEmailDomainListed(setting.Service.EmailDomainAllowList, f.Email) + return validation.IsEmailDomainListed(setting.Service.EmailDomainAllowList, f.Email) } // MustChangePasswordForm form for updating your password after account creation From 77148fc109c8a6b7bba54487a13b099aeb5de69b Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Wed, 30 Aug 2023 05:23:54 +0000 Subject: [PATCH 2/3] attempt validate --- models/user/email_address.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/models/user/email_address.go b/models/user/email_address.go index 6ae1e27775c46..0e2360fad7db4 100644 --- a/models/user/email_address.go +++ b/models/user/email_address.go @@ -158,18 +158,18 @@ func ValidateEmail(email string) error { return ErrEmailInvalid{email} } - mail, err := mail.ParseAddress(email) - if err != nil { + if _, err := mail.ParseAddress(email); err != nil { return ErrEmailInvalid{email} } // if there is no allow list, then check email against block list - if len(setting.Service.EmailDomainAllowList) == 0 && validation.IsEmailDomainListed(setting.Service.EmailDomainBlockList, mail.Address) { + if len(setting.Service.EmailDomainAllowList) == 0 && + validation.IsEmailDomainListed(setting.Service.EmailDomainBlockList, email) { return ErrEmailInvalid{email} } // check email address against allow list - if !validation.IsEmailDomainListed(setting.Service.EmailDomainAllowList, mail.Address) { + if !validation.IsEmailDomainListed(setting.Service.EmailDomainAllowList, email) { return ErrEmailInvalid{email} } From f0a8fe29b30c142e4d44431bb341a244be527a37 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Wed, 30 Aug 2023 05:49:23 +0000 Subject: [PATCH 3/3] only check allowlist if it contains any items --- models/user/email_address.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/models/user/email_address.go b/models/user/email_address.go index 0e2360fad7db4..e916249e30bbe 100644 --- a/models/user/email_address.go +++ b/models/user/email_address.go @@ -168,8 +168,9 @@ func ValidateEmail(email string) error { return ErrEmailInvalid{email} } - // check email address against allow list - if !validation.IsEmailDomainListed(setting.Service.EmailDomainAllowList, email) { + // if there is an allow list, then check email against allow list + if len(setting.Service.EmailDomainAllowList) > 0 && + !validation.IsEmailDomainListed(setting.Service.EmailDomainAllowList, email) { return ErrEmailInvalid{email} }