Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: prevent potential email abuse on invitations endpoint #4569

Merged
merged 4 commits into from
Apr 4, 2024
Merged

fix: prevent potential email abuse on invitations endpoint #4569

merged 4 commits into from
Apr 4, 2024

Conversation

fontanierh
Copy link
Contributor

@fontanierh fontanierh commented Apr 4, 2024
edited
Loading

Description

fixes #4555

Limits the # of email invitations a workspace can send every day (50).
Prevents sending several invitations to the same email for the same workspace within a day

Risk

Deploy Plan

@fontanierh fontanierh added security Security Issues p1 p1 priority tasks labels Apr 4, 2024
@fontanierh fontanierh requested review from flvndvd and spolu April 4, 2024 13:21
@fontanierh fontanierh force-pushed the fix/prevent-email-abuse-on-invitation-endpoint branch from 5dd657f to 3433272 Compare April 4, 2024 13:22
@fontanierh fontanierh force-pushed the fix/prevent-email-abuse-on-invitation-endpoint branch from 3433272 to 28622c7 Compare April 4, 2024 13:22
flvndvd
flvndvd reviewed Apr 4, 2024
View reviewed changes
front/pages/api/w/[wId]/invitations/index.ts Outdated Show resolved Hide resolved
front/pages/api/w/[wId]/invitations/index.ts Outdated
const unconsumedInvitations = await MembershipInvitation.findAll({
where: {
workspaceId: owner.id,
status: ["pending", "revoked"],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we account for revoked in there?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah because otherwise you can just revoke and re-send. Maybe we should discard revoked ones that are too old ? TBH if you have more than a few revoked it's fishy

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But what happens when you have revoked 50 invitations, you can't invite anymore?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simplified the whole thing. Now were just looking at invitations from the last 24 hours. IMO it's enough to limit abuse.

front/pages/api/w/[wId]/invitations/index.ts Outdated Show resolved Hide resolved
front/pages/api/w/[wId]/invitations/index.ts
)
.map((i) => i.inviteEmail.toLowerCase().trim())
);
if (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming one email address already has a fresh recent invitation, the entire operation will fail?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, would you prefer that we only filter those out ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean as long as we have an explicit error message in the UI and the user does not lose its email addresses list, I'm fine.

Henry Fontanier added 2 commits April 4, 2024 15:37
@fontanierh fontanierh force-pushed the fix/prevent-email-abuse-on-invitation-endpoint branch from d4b0f9f to e120d41 Compare April 4, 2024 13:47
@fontanierh fontanierh requested a review from flvndvd April 4, 2024 13:48
flvndvd
flvndvd approved these changes Apr 4, 2024
View reviewed changes
Copy link
Contributor

@flvndvd flvndvd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

front/lib/api/invitation.ts Show resolved Hide resolved
front/pages/api/w/[wId]/invitations/index.ts
});
}
const emailsWithRecentUnconsumedInvitations = new Set(
unconsumedInvitations.map((i) => i.inviteEmail.toLowerCase().trim())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we do this when creating those invitations?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ceinture bretelles

@fontanierh fontanierh merged commit 707dfb4 into main Apr 4, 2024
7 checks passed
@fontanierh fontanierh deleted the fix/prevent-email-abuse-on-invitation-endpoint branch April 4, 2024 15:05
flvndvd pushed a commit that referenced this pull request May 26, 2024
@fontanierh @flvndvd
fix: prevent potential email abuse on invitations endpoint (#4569)
7c07fe8 
* fix: prevent potential email abuse on invitations endpoint

* nit

* simplify

* nits

---------

Co-authored-by: Henry Fontanier <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flvndvd flvndvd flvndvd approved these changes

@spolu spolu Awaiting requested review from spolu

Assignees
No one assigned
Labels
p1 p1 priority tasks security Security Issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Potential Email Abuse in Dust Workspace
2 participants
@fontanierh @flvndvd