fix: prevent mailbox disclosure (#2284)

2024-11-16 17:08:30 +01:00 · 2024-10-23 10:24:15 +02:00 · 2024-10-23 10:24:15 +02:00 · f55ab58d0c
commit f55ab58d0c
parent 1afd392e5c
3 changed files with 20 additions and 5 deletions
--- a/app/dashboard/views/mailbox.py
+++ b/app/dashboard/views/mailbox.py
@ -121,10 +121,16 @@ def mailbox_route():
@login_required
 def mailbox_verify():
    mailbox_id = request.args.get("mailbox_id")
+    if not mailbox_id:
+        LOG.i("Missing mailbox_id")
+        flash("You followed an invalid link", "error")
+        return redirect(url_for("dashboard.mailbox_route"))
+
    code = request.args.get("code")
    if not code:
        # Old way
        return verify_with_signed_secret(mailbox_id)
+
    try:
        mailbox = mailbox_utils.verify_mailbox_code(current_user, mailbox_id, code)
    except mailbox_utils.MailboxError as e:
--- a/app/mailbox_utils.py
+++ b/app/mailbox_utils.py
@ -171,17 +171,17 @@ def verify_mailbox_code(user: User, mailbox_id: int, code: str) -> Mailbox:
            f"User {user} failed to verify mailbox {mailbox_id} because it does not exist"
        )
        raise MailboxError("Invalid mailbox")
+    if mailbox.user_id != user.id:
+        LOG.i(
+            f"User {user} failed to verify mailbox {mailbox_id} because it's owned by another user"
+        )
+        raise MailboxError("Invalid mailbox")
    if mailbox.verified:
        LOG.i(
            f"User {user} failed to verify mailbox {mailbox_id} because it's already verified"
        )
        clear_activation_codes_for_mailbox(mailbox)
        return mailbox
-    if mailbox.user_id != user.id:
-        LOG.i(
-            f"User {user} failed to verify mailbox {mailbox_id} because it's owned by another user"
-        )
-        raise MailboxError("Invalid mailbox")

    activation = (
        MailboxActivation.filter(MailboxActivation.mailbox_id == mailbox_id)
--- a/tests/test_mailbox_utils.py
+++ b/tests/test_mailbox_utils.py
@ -286,6 +286,15 @@ def test_verify_other_users_mailbox():
        mailbox_utils.verify_mailbox_code(user, mailbox.id, "9999999")


+def test_verify_other_users_already_verified_mailbox():
+    other = create_new_user()
+    mailbox = Mailbox.create(
+        user_id=other.id, email=random_email(), verified=True, commit=True
+    )
+    with pytest.raises(mailbox_utils.MailboxError):
+        mailbox_utils.verify_mailbox_code(user, mailbox.id, "9999999")
+
+
@mail_sender.store_emails_test_decorator
 def test_verify_fail():
    output = mailbox_utils.create_mailbox(user, random_email())