check blocklist for emails when adding them to account (#26812) (#26831)

Backport #26812 by @techknowlogick

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This commit is contained in:
Giteabot 2023-08-31 08:52:19 +08:00 committed by GitHub
parent c72f6067b3
commit 41bae29f84
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 40 additions and 27 deletions

View File

@ -16,6 +16,7 @@ import (
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/util"
"code.gitea.io/gitea/modules/validation"
"xorm.io/builder" "xorm.io/builder"
) )
@ -161,7 +162,17 @@ func ValidateEmail(email string) error {
return ErrEmailInvalid{email} return ErrEmailInvalid{email}
} }
// TODO: add an email allow/block list // if there is no allow list, then check email against block list
if len(setting.Service.EmailDomainAllowList) == 0 &&
validation.IsEmailDomainListed(setting.Service.EmailDomainBlockList, email) {
return ErrEmailInvalid{email}
}
// if there is an allow list, then check email against allow list
if len(setting.Service.EmailDomainAllowList) > 0 &&
!validation.IsEmailDomainListed(setting.Service.EmailDomainAllowList, email) {
return ErrEmailInvalid{email}
}
return nil return nil
} }

View File

@ -10,6 +10,8 @@ import (
"strings" "strings"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"github.com/gobwas/glob"
) )
var externalTrackerRegex = regexp.MustCompile(`({?)(?:user|repo|index)+?(}?)`) var externalTrackerRegex = regexp.MustCompile(`({?)(?:user|repo|index)+?(}?)`)
@ -48,6 +50,29 @@ func IsValidSiteURL(uri string) bool {
return false return false
} }
// IsEmailDomainListed checks whether the domain of an email address
// matches a list of domains
func IsEmailDomainListed(globs []glob.Glob, email string) bool {
if len(globs) == 0 {
return false
}
n := strings.LastIndex(email, "@")
if n <= 0 {
return false
}
domain := strings.ToLower(email[n+1:])
for _, g := range globs {
if g.Match(domain) {
return true
}
}
return false
}
// IsAPIURL checks if URL is current Gitea instance API URL // IsAPIURL checks if URL is current Gitea instance API URL
func IsAPIURL(uri string) bool { func IsAPIURL(uri string) bool {
return strings.HasPrefix(strings.ToLower(uri), strings.ToLower(setting.AppURL+"api")) return strings.HasPrefix(strings.ToLower(uri), strings.ToLower(setting.AppURL+"api"))

View File

@ -13,10 +13,10 @@ import (
"code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/validation"
"code.gitea.io/gitea/modules/web/middleware" "code.gitea.io/gitea/modules/web/middleware"
"gitea.com/go-chi/binding" "gitea.com/go-chi/binding"
"github.com/gobwas/glob"
) )
// InstallForm form for installation page // InstallForm form for installation page
@ -103,29 +103,6 @@ func (f *RegisterForm) Validate(req *http.Request, errs binding.Errors) binding.
return middleware.Validate(errs, ctx.Data, f, ctx.Locale) return middleware.Validate(errs, ctx.Data, f, ctx.Locale)
} }
// IsEmailDomainListed checks whether the domain of an email address
// matches a list of domains
func IsEmailDomainListed(globs []glob.Glob, email string) bool {
if len(globs) == 0 {
return false
}
n := strings.LastIndex(email, "@")
if n <= 0 {
return false
}
domain := strings.ToLower(email[n+1:])
for _, g := range globs {
if g.Match(domain) {
return true
}
}
return false
}
// IsEmailDomainAllowed validates that the email address // IsEmailDomainAllowed validates that the email address
// provided by the user matches what has been configured . // provided by the user matches what has been configured .
// The email is marked as allowed if it matches any of the // The email is marked as allowed if it matches any of the
@ -133,10 +110,10 @@ func IsEmailDomainListed(globs []glob.Glob, email string) bool {
// domains in the blocklist, if any such list is not empty. // domains in the blocklist, if any such list is not empty.
func (f *RegisterForm) IsEmailDomainAllowed() bool { func (f *RegisterForm) IsEmailDomainAllowed() bool {
if len(setting.Service.EmailDomainAllowList) == 0 { if len(setting.Service.EmailDomainAllowList) == 0 {
return !IsEmailDomainListed(setting.Service.EmailDomainBlockList, f.Email) return !validation.IsEmailDomainListed(setting.Service.EmailDomainBlockList, f.Email)
} }
return IsEmailDomainListed(setting.Service.EmailDomainAllowList, f.Email) return validation.IsEmailDomainListed(setting.Service.EmailDomainAllowList, f.Email)
} }
// MustChangePasswordForm form for updating your password after account creation // MustChangePasswordForm form for updating your password after account creation