Adds an option to strictly enforce single recipients for emails #5680
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Devise sends email containing sensitive values such as confirmation URLs, password reset URLs, and unlock URLs. In most (all?) cases, these should only be sent to a single person so that they alone can click the link. If the email is sent to multiple addresses, another person could click the link. Set `Devise.strict_single_recipient_emails` to an array of actions to raise an error when the email would be sent to more than one email address. By default Devise is secure: - `Devise.email_regexp` will reject email addresses containing separators (`,;`) - Devise gets a single email address from `record.email` However, when using `opts`, and particularly if providing untrusted user input to `opts`, multiple values could be present in `to:`, `cc:`, or `bcc:`. Example: ```ruby # POST https://your-app.com/customised-reset-password?email[]="[email protected]"&email[]="[email protected]" # Returns the victim's user user = User.find_by(email: params[:email]) # unsafe, will send the link to two addresses: Devise.mailer.reset_password_instructions(user, 'fake-token', {to: params[:email]}) # safe, devise will use the user's email address Devise.reset_password_instructions(user, 'fake-token') # safe, will raise error: Devise.strict_single_recipient_emails = [ :confirmation_instructions, :reset_password_instructions, :unlock_instructions ] Devise.mailer.reset_password_instructions(user, 'fake-token', {to: params[:email]}) ```
|
This is ready for review @carlosantoniodasilva 🙇 |
|
👋 @carlosantoniodasilva do you or another contributor have capacity to review this? If it's not a contribution that's a good fit, I can close it 👍 Thanks for all the time & effort you put in to devise. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Devise sends email containing sensitive values such as confirmation URLs, password reset URLs, and unlock URLs. In most (all?) cases, these should only be sent to a single person so that they alone can click the link. If the email is sent to multiple addresses, another person could click the link.
Set
Devise.strict_single_recipient_emailsto an array of actions to raise an error when the email would be sent to more than one email address.By default Devise is secure:
Devise.email_regexpwill reject email addresses containing separators (,;)record.emailHowever, when using
opts, and particularly if providing untrusted user input toopts, multiple values could be present into:,cc:, orbcc:.Example:
This work is similar to what I introduced at GitLab, but disabled by default and more configurable:
a) to avoid breaking changes,
b) to make it easier to enable for a subset of actions
GitLab MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/145753
This is my first contribution to Devise - very happy to receive feedback and change things up as needed ❤️ Also fine if you'd rather not include this change 👍