Skip to content

Commit

Permalink
fix: prevent mailbox disclosure (#2284)
Browse files Browse the repository at this point in the history
  • Loading branch information
@cquintana92
cquintana92 authored Oct 23, 2024
1 parent 1afd392 commit f55ab58
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 5 deletions.
6 changes: 6 additions & 0 deletions app/dashboard/views/mailbox.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,10 +121,16 @@ def mailbox_route():
@login_required
def mailbox_verify():
mailbox_id = request.args.get("mailbox_id")
if not mailbox_id:
LOG.i("Missing mailbox_id")
flash("You followed an invalid link", "error")
return redirect(url_for("dashboard.mailbox_route"))

code = request.args.get("code")
if not code:
# Old way
return verify_with_signed_secret(mailbox_id)

try:
mailbox = mailbox_utils.verify_mailbox_code(current_user, mailbox_id, code)
except mailbox_utils.MailboxError as e:
Expand Down
10 changes: 5 additions & 5 deletions app/mailbox_utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,17 +171,17 @@ def verify_mailbox_code(user: User, mailbox_id: int, code: str) -> Mailbox:
f"User {user} failed to verify mailbox {mailbox_id} because it does not exist"
)
raise MailboxError("Invalid mailbox")
if mailbox.user_id != user.id:
LOG.i(
f"User {user} failed to verify mailbox {mailbox_id} because it's owned by another user"
)
raise MailboxError("Invalid mailbox")
if mailbox.verified:
LOG.i(
f"User {user} failed to verify mailbox {mailbox_id} because it's already verified"
)
clear_activation_codes_for_mailbox(mailbox)
return mailbox
if mailbox.user_id != user.id:
LOG.i(
f"User {user} failed to verify mailbox {mailbox_id} because it's owned by another user"
)
raise MailboxError("Invalid mailbox")

activation = (
MailboxActivation.filter(MailboxActivation.mailbox_id == mailbox_id)
Expand Down
9 changes: 9 additions & 0 deletions tests/test_mailbox_utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,15 @@ def test_verify_other_users_mailbox():
mailbox_utils.verify_mailbox_code(user, mailbox.id, "9999999")


def test_verify_other_users_already_verified_mailbox():
other = create_new_user()
mailbox = Mailbox.create(
user_id=other.id, email=random_email(), verified=True, commit=True
)
with pytest.raises(mailbox_utils.MailboxError):
mailbox_utils.verify_mailbox_code(user, mailbox.id, "9999999")


@mail_sender.store_emails_test_decorator
def test_verify_fail():
output = mailbox_utils.create_mailbox(user, random_email())
Expand Down

0 comments on commit f55ab58

Please sign in to comment.