Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(donation): prevent $0 donation spam #2930

Closed
kevinwhoffman opened this issue Mar 20, 2018 · 4 comments

Comments

Projects
None yet
3 participants
@kevinwhoffman
Copy link
Member

commented Mar 20, 2018

User Story

As an admin, I want to prevent $0 donation spam so that my data remains clean and reports are reliable.

Current Behavior

I currently experience donation spam in the following ways:

  • $0 donation and donor created on forms with registration
  • small donation and donor created on forms with registration (pay to spam)
  • $0 donation without donor created on forms without registration
  • only donor created due to Stop Signup Spam plugin preventing the donation from being created
  • spam donors created via the [give_register] registration form (maybe a separate issue).

Expected Behavior

I expect to only see real donations/donors appear in Give.

Possible Solution

Because of the $0 donations, it appears likely that these spammy donations are the result of direct $_POST requests rather that donations made through the form.

  1. Confirm that nonce validation is working as expected so that only donations with valid nonce fields are allowed.
  2. Test the donation form with JS turned off to check the effectiveness of server-side validation.
  3. Check $0 condition immediately after nonce validation so that the submission process can be short-circuited if a valid amount is not included.

Steps to Reproduce

Via front-end form with JS turned off

  1. Attempt donation through front-end form with JS turned off. Use $0 as the amount.
  2. Verify whether the donation/donor appear in the database and Give admin UI.

Via $_POST request

  1. Mimic the $_POST request that Give uses to submit a donation. Use $0 as the amount.
  2. Verify whether the donation/donor appear in the database and Give admin UI.

Related

Issues

  • feat(form): disallow email address as first name #2862

Support Tickets

Tasks

  • Recreate a $0 donation via front-end form with JS turned off and report results in this issue.
  • Recreate a $0 donation via $_POST using Postman and report results in this issue.
  • Improve server-side validation to prevent spam.
  • Confirm that spam is stopped through front-end donation form with JS turned on.
  • Confirm that spam is stopped through front-end donation form with JS turned off.
  • Confirm that spam is stopped through direct $_POST request.
@kevinwhoffman

This comment has been minimized.

Copy link
Member Author

commented Mar 26, 2018

@raftaar1191 Please start by trying to recreate the $0 donations through the front-end form and as a $_POST request. Report here what you find. Thanks.

@raftaar1191

This comment has been minimized.

Copy link
Member

commented Mar 27, 2018

Finding

I have tested this out with Disable the JS and also Postman I come to a point that we check for Donation minimum amount check when we donated the amount and if the custom amount is disabled the minimum donation amount is zero

What we can do

When we check for the minimum donation amount conditions and the custom amount option is disabled then we should get the minimum amount from the Donation level if the Donation Option option is set as Multi-level Donation or if the Donation Option is set as Set Donation then we should pick the value from Set Donation input box

We can use the give_get_lowest_price_option function to get the form minimum donation amount

We should call give_get_lowest_price_option function at the time of fetching the donation form minimum value in class method called get_minimum_price

@kevinwhoffman

This comment has been minimized.

Copy link
Member Author

commented Mar 28, 2018

Slack Call Summary

Participants: @raftaar1191, @kevinwhoffman
Topic: Discuss how $0 donations are being prevented
Result: Deepak concluded that the form minimum was being set to 0 under certain circumstances and that $0 donations could be made with JS disabled. Deepak has submitted a PR to prevent the form minimum from being set to 0.

Deepak was unable to make a donation through a direct $_POST request in Postman due to nonce verification. This is a good thing; it means our nonce verification is working.

cc: @mathetos

DevinWalker added a commit that referenced this issue Mar 28, 2018

Merge pull request #2956 from raftaar1191/issues-2930
fix(donation): update minimum amount for amount method #2930

DevinWalker added a commit that referenced this issue Mar 28, 2018

Merge branch 'release/2.0.7' into release/2.1
* release/2.0.7:
  fix(donation): update minimum amount for amount method #2930

@kevinwhoffman kevinwhoffman changed the title fix(donation): prevent spam fix(donation): prevent $0 donation spam Mar 28, 2018

@mehul0810

This comment has been minimized.

Copy link
Contributor

commented Apr 17, 2018

@kevinwhoffman I've created a new issue on preventing donation/donor spams as I have set up a customized form in PHP to send spam and it is going through with test donations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.