Add global Spree::Config.default_email_regexp #4022
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
softr8
reviewed
Apr 9, 2021
core/lib/spree/app_configuration.rb
Outdated
| @@ -145,6 +145,10 @@ class AppConfiguration < Preferences::Configuration | |||
| # @return [String] Two-letter ISO code of a {Spree::Country} to assumed as the country of an unidentified customer (default: "US") | |||
| preference :default_country_iso, :string, default: 'US' | |||
|
|
|||
| # @!attribute [rw] default_email_regexp | |||
| # @return [Regexp] Regex to be used in email validations, for example in Spree::EmailValidator | |||
| preference :default_email_regexp, :regexp, default: /\A([^@\.]|[^@\.]([^@\s]*)[^@\.])@([^@\s]+\.)+[^@\s]+\z/ | |||
There was a problem hiding this comment.
Might be worth trying with Ruby's built in URI::MailTo::EMAIL_REGEXP
There was a problem hiding this comment.
This is just a copy of the regex in Spree::EmailValidator. That regex you mentioned is significantly different from it and I think changing it might have a potential impact for unaware upgraders.
There was a problem hiding this comment.
I think it might be worth considering an update of the regex because the current one has a couple of bugs.
At this link you can see and play with different combinations (be aware of the usage of ^ and $ instead of \A and \z, it was just to use multiline matches), but looks like that the current regex allows the following:
test @example.com: single whitespace before the@test@example.com: leading whitespace, although this is a smaller issue since Devise by default auto strips leading and trailing whitespaces onemailfields. TheSpree::Userclass insolidus_auth_deviseis immune from this bug because of the auto stripping.
Since this would enter a deprecation cycle, would it be ok updating the regex to something like this? Resulting in this example.
/\A([^@\s.]|[^@\s.]([^@\s]*)[^@\s.])@([^@\s]+\.)+[^@\s]+\z/@cesartalves , @kennyadsl , @softr8 thoughts?
There was a problem hiding this comment.
I see no problem in updating the regex. We can let users know that it's gonna happen on a release note. Besides, shouldn't break a lot of validations save few edge cases (e.g., white spaces as you mentioned).
kennyadsl
reviewed
Apr 12, 2021
cesartalves
force-pushed
the
create-email-regexp-configuration
branch
from
6b44873 to
8b43092
Compare
| include ActiveSupport::Deprecation::DeprecatedConstantAccessor | ||
|
|
||
| SPREE_EMAIL_REGEXP = Spree::Config.default_email_regexp | ||
| deprecate_constant 'EMAIL_REGEXP', "#{name}::SPREE_EMAIL_REGEXP" |
There was a problem hiding this comment.
If I am understanding this correctly, we're introducing another constant, SPREE_EMAIL_REGEXP, for the sake of being able to deprecate EMAIL_REGEXP, cause ActiveSupport's version of deprecate_constant requires a replacement constant.
If that's the case, we can avoid this by simply using ruby's Module.deprecate_constant from stdlib which is happy with just deprecating the constant, without replacement.
Also, if we're switching to Module.deprecate_constant, since we cannot customize the deprecation message, I guess it would be nice to add a comment making super-clear that the replacement for the constant is Spree::Config.default_email_regexp... I guess that devs checking this file after seeing the deprecation may be a bit confused.
|
Hey! Any particular reason why we're closing it? We could handle the change in value thanks to the new Solidus update process. I.e.: preference :default_email_regexp, :regexp, default: by_version(/\A([^@\.]|[^@\.]([^@\s]*)[^@\.])@([^@\s]+\.)+[^@\s]+\z/, "3.2.alpha" => URI::MailTo::EMAIL_REGEXP)Reopening to keep visibility on it. |
waiting-for-dev
added a commit
that referenced
this pull request
Dec 7, 2021
The denial of service vulnerability could be exploited in the checkout process for guest orders, as it's the only place where that regexp is used. To this point, registered users' emails (for instance, through solidus_auth_devise) don't validate against that regular expression. The previous regular expression had `([^@\s]+\.)+` bit on it. It was susceptible to exponential backtracking with a substring like `a.a.`. I.e.: ``` irb(main)> Spree::EmailValidator::EMAIL_REGEXP.match "a@a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.@" processing time: 54.293660s => nil ``` We take the occasion to remove the crafted regexp in use altogether. Instead, we use `URI::MailTo::REGEXP`, which follows https://html.spec.whatwg.org/multipage/input.html#valid-e-mail-address. It's improbable to find old emails that become invalid in a system, but, as a safeguard, we provide a task `solidus:check_orders_with_invalid_emails` to print information for orders that don't fulfill the new requirement. The issue has been present since 7af4b93. I.e., since version 1.0. The regexp had been copied from Devise's one, but they updated it in heartcombo/devise@830d3e8 References: GHSA-qxmr-qxh6-2cc9 https://en.wikipedia.org/wiki/ReDoS https://snyk.io/blog/redos-and-catastrophic-backtracking/ References #4022
waiting-for-dev
added a commit
that referenced
this pull request
Dec 7, 2021
The denial of service vulnerability could be exploited in the checkout process for guest orders, as it's the only place where that regexp is used. To this point, registered users' emails (for instance, through solidus_auth_devise) don't validate against that regular expression. The previous regular expression had `([^@\s]+\.)+` bit on it. It was susceptible to exponential backtracking with a substring like `a.a.`. I.e.: ``` irb(main)> Spree::EmailValidator::EMAIL_REGEXP.match "a@a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.@" processing time: 54.293660s => nil ``` We take the occasion to remove the crafted regexp in use altogether. Instead, we use `URI::MailTo::REGEXP`, which follows https://html.spec.whatwg.org/multipage/input.html#valid-e-mail-address. It's improbable to find old emails that become invalid in a system, but, as a safeguard, we provide a task `solidus:check_orders_with_invalid_emails` to print information for orders that don't fulfill the new requirement. The issue has been present since 7af4b93. I.e., since version 1.0. The regexp had been copied from Devise's one, but they updated it in heartcombo/devise@830d3e8 References: GHSA-qxmr-qxh6-2cc9 https://en.wikipedia.org/wiki/ReDoS https://snyk.io/blog/redos-and-catastrophic-backtracking/ References #4022
waiting-for-dev
added a commit
that referenced
this pull request
Dec 7, 2021
The denial of service vulnerability could be exploited in the checkout process for guest orders, as it's the only place where that regexp is used. To this point, registered users' emails (for instance, through solidus_auth_devise) don't validate against that regular expression. The previous regular expression had `([^@\s]+\.)+` bit on it. It was susceptible to exponential backtracking with a substring like `a.a.`. I.e.: ``` irb(main)> Spree::EmailValidator::EMAIL_REGEXP.match "a@a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.@" processing time: 54.293660s => nil ``` We take the occasion to remove the crafted regexp in use altogether. Instead, we use `URI::MailTo::REGEXP`, which follows https://html.spec.whatwg.org/multipage/input.html#valid-e-mail-address. It's improbable to find old emails that become invalid in a system, but, as a safeguard, we provide a task `solidus:check_orders_with_invalid_emails` to print information for orders that don't fulfill the new requirement. The issue has been present since 7af4b93. I.e., since version 1.0. The regexp had been copied from Devise's one, but they updated it in heartcombo/devise@830d3e8 References: GHSA-qxmr-qxh6-2cc9 https://en.wikipedia.org/wiki/ReDoS https://snyk.io/blog/redos-and-catastrophic-backtracking/ References #4022
waiting-for-dev
added a commit
that referenced
this pull request
Dec 7, 2021
The denial of service vulnerability could be exploited in the checkout process for guest orders, as it's the only place where that regexp is used. To this point, registered users' emails (for instance, through solidus_auth_devise) don't validate against that regular expression. The previous regular expression had `([^@\s]+\.)+` bit on it. It was susceptible to exponential backtracking with a substring like `a.a.`. I.e.: ``` irb(main)> Spree::EmailValidator::EMAIL_REGEXP.match "a@a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.@" processing time: 54.293660s => nil ``` We take the occasion to remove the crafted regexp in use altogether. Instead, we use `URI::MailTo::REGEXP`, which follows https://html.spec.whatwg.org/multipage/input.html#valid-e-mail-address. It's improbable to find old emails that become invalid in a system, but, as a safeguard, we provide a task `solidus:check_orders_with_invalid_emails` to print information for orders that don't fulfill the new requirement. The issue has been present since 7af4b93. I.e., since version 1.0. The regexp had been copied from Devise's one, but they updated it in heartcombo/devise@830d3e8 References: GHSA-qxmr-qxh6-2cc9 https://en.wikipedia.org/wiki/ReDoS https://snyk.io/blog/redos-and-catastrophic-backtracking/ References #4022
|
Hey @cesartalves, would you be willing to retake it? We should:
It'll also close #4341. |
This change adds a `:default_email_regexp` preference to be used by Spree::EmailValidator, allowing the regex to be fully and easily customizable.
waiting-for-dev
force-pushed
the
create-email-regexp-configuration
branch
from
8b43092 to
5e451b5
Compare
|
Hey, I rebased it myself and implemented @spaghetticode's suggestion. It should be ready for review. |
spaghetticode
approved these changes
Jun 23, 2022
jarednorman
approved these changes
Jun 24, 2022
cpfergus1
pushed a commit
to cpfergus1/solidus
that referenced
this pull request
Aug 25, 2022
The denial of service vulnerability could be exploited in the checkout process for guest orders, as it's the only place where that regexp is used. To this point, registered users' emails (for instance, through solidus_auth_devise) don't validate against that regular expression. The previous regular expression had `([^@\s]+\.)+` bit on it. It was susceptible to exponential backtracking with a substring like `a.a.`. I.e.: ``` irb(main)> Spree::EmailValidator::EMAIL_REGEXP.match "a@a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.@" processing time: 54.293660s => nil ``` We take the occasion to remove the crafted regexp in use altogether. Instead, we use `URI::MailTo::REGEXP`, which follows https://html.spec.whatwg.org/multipage/input.html#valid-e-mail-address. It's improbable to find old emails that become invalid in a system, but, as a safeguard, we provide a task `solidus:check_orders_with_invalid_emails` to print information for orders that don't fulfill the new requirement. The issue has been present since 7af4b93. I.e., since version 1.0. The regexp had been copied from Devise's one, but they updated it in heartcombo/devise@830d3e8 References: GHSA-qxmr-qxh6-2cc9 https://en.wikipedia.org/wiki/ReDoS https://snyk.io/blog/redos-and-catastrophic-backtracking/ References solidusio#4022
kennyadsl
added a commit
to nebulab/solidus
that referenced
this pull request
Mar 28, 2023
Please, use Spree::Config.default_email_regexp now. Ref solidusio#4022
kennyadsl
added a commit
to nebulab/solidus
that referenced
this pull request
Mar 28, 2023
Please, use Spree::Config.default_email_regexp now. Ref solidusio#4022
kennyadsl
added a commit
to nebulab/solidus
that referenced
this pull request
Mar 28, 2023
Please, use Spree::Config.default_email_regexp now. Ref solidusio#4022
kennyadsl
added a commit
to nebulab/solidus
that referenced
this pull request
Mar 28, 2023
Please, use Spree::Config.default_email_regexp now. Ref solidusio#4022
kennyadsl
added a commit
to nebulab/solidus
that referenced
this pull request
Apr 12, 2023
Please, use Spree::Config.default_email_regexp now. Ref solidusio#4022
kennyadsl
added a commit
to nebulab/solidus
that referenced
this pull request
Apr 14, 2023
Please, use Spree::Config.default_email_regexp now. Ref solidusio#4022
kennyadsl
added a commit
to nebulab/solidus
that referenced
this pull request
Apr 18, 2023
Please, use Spree::Config.default_email_regexp now. Ref solidusio#4022
kennyadsl
added a commit
to nebulab/solidus
that referenced
this pull request
Apr 18, 2023
Please, use Spree::Config.default_email_regexp now. Ref solidusio#4022
kennyadsl
added a commit
to nebulab/solidus
that referenced
this pull request
Apr 19, 2023
Please, use Spree::Config.default_email_regexp now. Ref solidusio#4022
kennyadsl
added a commit
to nebulab/solidus
that referenced
this pull request
Apr 24, 2023
Please, use Spree::Config.default_email_regexp now. Ref solidusio#4022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change adds a :default_email_regexp preference to be used by Spree::EmailValidator and also solidus_auth_devise, allowing the regex to be fully and easily customizable. With this introduction it will be possible to keep the Devise.email_regexp in sync with solidus's email validator regexp.
Description
Checklist: