SECURITY: Limit email invitations to topic

2024-11-25 02:11:08 -06:00 · 2022-08-10 15:39:26 +10:00 · 2022-08-10 15:39:26 +10:00 · cc84ea2444
commit cc84ea2444
parent a0537816fb
2 changed files with 20 additions and 0 deletions
--- a/app/models/invite.rb
+++ b/app/models/invite.rb
@ -113,6 +113,8 @@ class Invite < ActiveRecord::Base
        invite.destroy
        invite = nil
      end
+      email_digest = Digest::SHA256.hexdigest(email)
+      RateLimiter.new(invited_by, "reinvites-per-day-#{email_digest}", 3, 1.day.to_i).performed!
    end

    emailed_status = if opts[:skip_email] || invite&.emailed_status == emailed_status_types[:not_required]
--- a/spec/models/invite_spec.rb
+++ b/spec/models/invite_spec.rb
@ -176,6 +176,24 @@ RSpec.describe Invite do

        expect(invite.invite_key).not_to eq(another_invite.invite_key)
      end
+
+      context "when email is already invited 3 times" do
+        before do
+          RateLimiter.enable
+          3.times do
+            Invite.generate(user, email: "test@example.com")
+          end
+        end
+
+        after do
+          RateLimiter.clear_all!
+        end
+
+        it "raises an error" do
+          expect { Invite.generate(user, email: "test@example.com") }
+            .to raise_error(RateLimiter::LimitExceeded)
+        end
+      end
    end

    context 'when inviting to a topic' do