From 45976a1bdeb511d33016fdf6f906c06d995064ce Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Wed, 30 Aug 2023 11:46:49 -0400 Subject: [PATCH] Check blocklist for emails when adding them to account (#26812) --- models/user/email_address.go | 13 ++++++++++++- modules/validation/helpers.go | 25 +++++++++++++++++++++++++ services/forms/user_form.go | 29 +++-------------------------- 3 files changed, 40 insertions(+), 27 deletions(-) diff --git a/models/user/email_address.go b/models/user/email_address.go index e310858f92..e916249e30 100644 --- a/models/user/email_address.go +++ b/models/user/email_address.go @@ -16,6 +16,7 @@ import ( "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/util" + "code.gitea.io/gitea/modules/validation" "xorm.io/builder" ) @@ -161,7 +162,17 @@ func ValidateEmail(email string) error { return ErrEmailInvalid{email} } - // TODO: add an email allow/block list + // if there is no allow list, then check email against block list + if len(setting.Service.EmailDomainAllowList) == 0 && + validation.IsEmailDomainListed(setting.Service.EmailDomainBlockList, email) { + return ErrEmailInvalid{email} + } + + // if there is an allow list, then check email against allow list + if len(setting.Service.EmailDomainAllowList) > 0 && + !validation.IsEmailDomainListed(setting.Service.EmailDomainAllowList, email) { + return ErrEmailInvalid{email} + } return nil } diff --git a/modules/validation/helpers.go b/modules/validation/helpers.go index 3381846b86..f6e00f3887 100644 --- a/modules/validation/helpers.go +++ b/modules/validation/helpers.go @@ -10,6 +10,8 @@ import ( "strings" "code.gitea.io/gitea/modules/setting" + + "github.com/gobwas/glob" ) var externalTrackerRegex = regexp.MustCompile(`({?)(?:user|repo|index)+?(}?)`) @@ -48,6 +50,29 @@ func IsValidSiteURL(uri string) bool { return false } +// IsEmailDomainListed checks whether the domain of an email address +// matches a list of domains +func IsEmailDomainListed(globs []glob.Glob, email string) bool { + if len(globs) == 0 { + return false + } + + n := strings.LastIndex(email, "@") + if n <= 0 { + return false + } + + domain := strings.ToLower(email[n+1:]) + + for _, g := range globs { + if g.Match(domain) { + return true + } + } + + return false +} + // IsAPIURL checks if URL is current Gitea instance API URL func IsAPIURL(uri string) bool { return strings.HasPrefix(strings.ToLower(uri), strings.ToLower(setting.AppURL+"api")) diff --git a/services/forms/user_form.go b/services/forms/user_form.go index 1f5abf94ee..c0eb03f554 100644 --- a/services/forms/user_form.go +++ b/services/forms/user_form.go @@ -13,10 +13,10 @@ import ( "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/structs" + "code.gitea.io/gitea/modules/validation" "code.gitea.io/gitea/modules/web/middleware" "gitea.com/go-chi/binding" - "github.com/gobwas/glob" ) // InstallForm form for installation page @@ -103,29 +103,6 @@ func (f *RegisterForm) Validate(req *http.Request, errs binding.Errors) binding. return middleware.Validate(errs, ctx.Data, f, ctx.Locale) } -// IsEmailDomainListed checks whether the domain of an email address -// matches a list of domains -func IsEmailDomainListed(globs []glob.Glob, email string) bool { - if len(globs) == 0 { - return false - } - - n := strings.LastIndex(email, "@") - if n <= 0 { - return false - } - - domain := strings.ToLower(email[n+1:]) - - for _, g := range globs { - if g.Match(domain) { - return true - } - } - - return false -} - // IsEmailDomainAllowed validates that the email address // provided by the user matches what has been configured . // The email is marked as allowed if it matches any of the @@ -133,10 +110,10 @@ func IsEmailDomainListed(globs []glob.Glob, email string) bool { // domains in the blocklist, if any such list is not empty. func (f *RegisterForm) IsEmailDomainAllowed() bool { if len(setting.Service.EmailDomainAllowList) == 0 { - return !IsEmailDomainListed(setting.Service.EmailDomainBlockList, f.Email) + return !validation.IsEmailDomainListed(setting.Service.EmailDomainBlockList, f.Email) } - return IsEmailDomainListed(setting.Service.EmailDomainAllowList, f.Email) + return validation.IsEmailDomainListed(setting.Service.EmailDomainAllowList, f.Email) } // MustChangePasswordForm form for updating your password after account creation