Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Prevent abuse of the update_activation_email route (stable)
  • Loading branch information
romanrizzi authored and OsamaSayegh committed Jul 27, 2022
1 parent 7af2554 commit af1cb73
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 0 deletions.
2 changes: 2 additions & 0 deletions app/controllers/users_controller.rb
Expand Up @@ -1062,10 +1062,12 @@ def update_activation_email
RateLimiter.new(nil, "activate-edit-email-hr-#{request.remote_ip}", 5, 1.hour).performed!

if params[:username].present?
RateLimiter.new(nil, "activate-edit-email-hr-username-#{params[:username]}", 5, 1.hour).performed!
@user = User.find_by_username_or_email(params[:username])
raise Discourse::InvalidAccess.new unless @user.present?
raise Discourse::InvalidAccess.new unless @user.confirm_password?(params[:password])
elsif user_key = session[SessionController::ACTIVATE_USER_KEY]
RateLimiter.new(nil, "activate-edit-email-hr-user-key-#{user_key}", 5, 1.hour).performed!
@user = User.where(id: user_key.to_i).first
end

Expand Down
36 changes: 36 additions & 0 deletions spec/requests/users_controller_spec.rb
Expand Up @@ -3442,6 +3442,23 @@ def create_and_like_post(likee, liker)
token.reload
expect(token.expired?).to eq(true)
end

it 'tells the user to slow down after many requests' do
RateLimiter.enable
RateLimiter.clear_all!
freeze_time

user = post_user
token = user.email_tokens.first

6.times do |n|
put "/u/update-activation-email.json", params: {
email: "updatedemail#{n}@example.com"
}, env: { "REMOTE_ADDR": "1.2.3.#{n}" }
end

expect(response.status).to eq(429)
end
end

context "with a username and password" do
Expand Down Expand Up @@ -3516,6 +3533,25 @@ def create_and_like_post(likee, liker)
token.reload
expect(token.expired?).to eq(true)
end

it 'tells the user to slow down after many requests' do
RateLimiter.enable
RateLimiter.clear_all!
freeze_time

user = inactive_user
token = user.email_tokens.first

6.times do |n|
put "/u/update-activation-email.json", params: {
username: user.username,
password: 'qwerqwer123',
email: "updatedemail#{n}@example.com"
}, env: { "REMOTE_ADDR": "1.2.3.#{n}" }
end

expect(response.status).to eq(429)
end
end
end

Expand Down

0 comments on commit af1cb73

Please sign in to comment.