From dbd6ea30e96eadf6caa21bf230ed8e27cf05c8d2 Mon Sep 17 00:00:00 2001 From: James Allen Date: Mon, 11 Jun 2018 15:22:42 +0100 Subject: [PATCH] Improve robustness of email validation --- .../Subscription/TeamInvitesController.coffee | 9 +++++++-- .../Subscription/TeamInvitesHandler.coffee | 14 +++++++++----- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/services/web/app/coffee/Features/Subscription/TeamInvitesController.coffee b/services/web/app/coffee/Features/Subscription/TeamInvitesController.coffee index 475c4684b0..3fdd7e3e56 100644 --- a/services/web/app/coffee/Features/Subscription/TeamInvitesController.coffee +++ b/services/web/app/coffee/Features/Subscription/TeamInvitesController.coffee @@ -4,11 +4,14 @@ TeamInvitesHandler = require('./TeamInvitesHandler') AuthenticationController = require("../Authentication/AuthenticationController") SubscriptionLocator = require("./SubscriptionLocator") ErrorController = require("../Errors/ErrorController") +EmailHelper = require("../Helpers/EmailHelper") module.exports = createInvite: (req, res, next) -> teamManagerId = AuthenticationController.getLoggedInUserId(req) - email = req.body.email + email = EmailHelper.parseEmail(req.body.email) + if !email? + return res.sendStatus(400) TeamInvitesHandler.createInvite teamManagerId, email, (err, invite) -> return next(err) if err? @@ -45,8 +48,10 @@ module.exports = res.sendStatus 204 revokeInvite: (req, res) -> - email = req.params.email + email = EmailHelper.parseEmail(req.params.email) teamManagerId = AuthenticationController.getLoggedInUserId(req) + if !email? + return res.sendStatus(400) TeamInvitesHandler.revokeInvite teamManagerId, email, (err, results) -> return next(err) if err? diff --git a/services/web/app/coffee/Features/Subscription/TeamInvitesHandler.coffee b/services/web/app/coffee/Features/Subscription/TeamInvitesHandler.coffee index b27d0da8a1..e09e99c94a 100644 --- a/services/web/app/coffee/Features/Subscription/TeamInvitesHandler.coffee +++ b/services/web/app/coffee/Features/Subscription/TeamInvitesHandler.coffee @@ -28,6 +28,8 @@ module.exports = TeamInvitesHandler = return callback(null, invite, subscription) createInvite: (teamManagerId, email, callback) -> + email = EmailHelper.parseEmail(email) + return callback(new Error('invalid email')) if !email? logger.log {teamManagerId, email}, "Creating manager team invite" UserGetter.getUser teamManagerId, (error, teamManager) -> return callback(error) if error? @@ -45,12 +47,14 @@ module.exports = TeamInvitesHandler = createInvite(subscription, email, inviterName, callback) createDomainInvite: (user, licence, callback) -> - logger.log {licence, email: user.email}, "Creating domain team invite" + email = EmailHelper.parseEmail(user.email) + return callback(new Error('invalid email')) if !email? + logger.log {licence, email: email}, "Creating domain team invite" inviterName = licence.name.replace(/\s+licence$/i, licence.name) SubscriptionLocator.getSubscription licence.subscription_id, (error, subscription) -> return callback(error) if error? - createInvite(subscription, user.email, inviterName, callback) + createInvite(subscription, email, inviterName, callback) acceptInvite: (token, userId, callback) -> logger.log {userId}, "Accepting invite" @@ -64,6 +68,8 @@ module.exports = TeamInvitesHandler = removeInviteFromTeam(subscription.id, invite.email, callback) revokeInvite: (teamManagerId, email, callback) -> + email = EmailHelper.parseEmail(email) + return callback(new Error('invalid email')) if !email? logger.log {teamManagerId, email}, "Revoking invite" SubscriptionLocator.getUsersSubscription teamManagerId, (err, teamSubscription) -> return callback(err) if err? @@ -87,7 +93,6 @@ createInvite = (subscription, email, inviterName, callback) -> return callback(error) if error? return callback(reason) unless possible - email = EmailHelper.parseEmail(email) invite = subscription.teamInvites.find (invite) -> invite.email == email @@ -114,7 +119,6 @@ createInvite = (subscription, email, inviterName, callback) -> return callback(error, invite) removeInviteFromTeam = (subscriptionId, email, callback) -> - email = EmailHelper.parseEmail(email) searchConditions = { _id: new ObjectId(subscriptionId.toString()) } removeInvite = { $pull: { teamInvites: { email: email } } } logger.log {subscriptionId, email, searchConditions, removeInvite}, 'removeInviteFromTeam' @@ -129,7 +133,7 @@ removeLegacyInvite = (subscriptionId, email, callback) -> _id: new ObjectId(subscriptionId.toString()) }, { $pull: { - invited_emails: EmailHelper.parseEmail(email) + invited_emails: email } }, callback)