github/penpot
1
0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2026-04-25 11:18:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

🚑 Fix email blacklisting (#9122)

Browse Source
This commit is contained in:
Yamila Moreno 2026-04-23 09:42:40 +02:00 committed by GitHub
parent ba42cc04b7
commit 5f7de04efe
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 45 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
backend/src/app/email/blacklist.clj
View File

@ -36,10 +36,18 @@
:cause cause)))))
(defn contains?
"Check if email is in the blacklist."
"Check if email is in the blacklist. Also matches subdomains: if
'somedomain.com' is blacklisted, 'xxx@foo.somedomain.com' will also
be rejected."
[{:keys [::email/blacklist]} email]
(let [[_ domain] (str/split email "@" 2)]
(c/contains? blacklist (str/lower domain))))
(let [[_ domain] (str/split email "@" 2)
parts (str/split (str/lower domain) #"\.")]
(loop [parts parts]
(if (empty? parts)
false
(if (c/contains? blacklist (str/join "." parts))
true
(recur (rest parts)))))))
(defn enabled?
"Check if the blacklist is enabled"

34
backend/test/backend_tests/email_blacklist_test.clj Normal file
View File

@ -0,0 +1,34 @@
;; This Source Code Form is subject to the terms of the Mozilla Public
;; License, v. 2.0. If a copy of the MPL was not distributed with this
;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;;
;; Copyright (c) KALEIDOS INC
(ns backend-tests.email-blacklist-test
(:require
[app.email :as-alias email]
[app.email.blacklist :as blacklist]
[clojure.test :as t]))
(def ^:private cfg
{::email/blacklist #{"somedomain.com" "spam.net"}})
(t/deftest test-exact-domain-match
(t/is (true? (blacklist/contains? cfg "user@somedomain.com")))
(t/is (true? (blacklist/contains? cfg "user@spam.net")))
(t/is (false? (blacklist/contains? cfg "user@legit.com"))))
(t/deftest test-subdomain-match
(t/is (true? (blacklist/contains? cfg "user@sub.somedomain.com")))
(t/is (true? (blacklist/contains? cfg "user@a.b.somedomain.com")))
;; A domain that merely contains the blacklisted string but is not a
;; subdomain must NOT be rejected.
(t/is (false? (blacklist/contains? cfg "user@notsomedomain.com"))))
(t/deftest test-case-insensitive
(t/is (true? (blacklist/contains? cfg "user@SOMEDOMAIN.COM")))
(t/is (true? (blacklist/contains? cfg "user@Sub.SomeDomain.Com"))))
(t/deftest test-non-blacklisted-domain
(t/is (false? (blacklist/contains? cfg "user@example.com")))
(t/is (false? (blacklist/contains? cfg "user@sub.legit.com"))))