From 28edd5a22a4bcbd3c64c0e2f29c8bf8db66b4dd1 Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 5 Sep 2021 18:21:35 -0500 Subject: [PATCH] emails: hardcode nondisposable email list. Hardcode the list of nondisposable email providers instead of making it a config option. Also add a few new providers. This was previously a config option to keep it secret, but there's not much need for secrecy here. A Restricted user's email must be on this list to unrestrict their account. If a user is Restricted and their email is not in this list, then it's assumed to be disposable and can't be used to unrestrict their account even if they verify their email address. --- app/logical/email_validator.rb | 76 ++++++++++++++++++++++- app/models/email_address.rb | 2 +- config/danbooru_default_config.rb | 13 ---- test/functional/emails_controller_test.rb | 4 -- 4 files changed, 74 insertions(+), 21 deletions(-) diff --git a/app/logical/email_validator.rb b/app/logical/email_validator.rb index ca7292493..7e498e928 100644 --- a/app/logical/email_validator.rb +++ b/app/logical/email_validator.rb @@ -134,6 +134,78 @@ module EmailValidator "hanmail.net" => "daum.net", } + # A list of domains known not to be disposable. A user's email must be on + # this list to unrestrict their account. If a user is Restricted and their + # email is not in this list, then it's assumed to be disposable and can't be + # used to unrestrict their account even if they verify their email address. + # + # https://www.mailboxvalidator.com/domain + NONDISPOSABLE_DOMAINS = %w[ + gmail.com + outlook.com + yahoo.com + aol.com + comcast.net + att.net + bellsouth.net + cox.net + sbcglobal.net + verizon.net + icloud.com + rocketmail.com + windowslive.com + qq.com + vip.qq.com + sina.com + naver.com + 163.com + daum.net + mail.goo.ne.jp + nate.com + mail.com + protonmail.com + gmx.net + web.de + freenet.de + o2.pl + op.pl + wp.pl + interia.pl + mail.ru + yandex.ru + rambler.ru + abv.bg + seznam.cz + libero.it + laposte.net + free.fr + orange.fr + citromail.hu + ukr.net + t-online.de + inbox.lv + luukku.com + lycos.com + tlen.pl + infoseek.jp + excite.co.jp + mac.com + wanadoo.fr + ezweb.ne.jp + arcor.de + docomo.ne.jp + earthlink.net + charter.net + hushmail.com + inbox.com + juno.com + shaw.ca + walla.com + tutanota.com + foxmail.com + vivaldi.net + ] + # Returns true if it's okay to connect to port 25. Disabled outside of # production because many home ISPs blackhole port 25. def smtp_enabled? @@ -168,10 +240,8 @@ module EmailValidator # @param [String] the email address # @return [Boolean] def is_restricted?(address) - return false if Danbooru.config.email_domain_verification_list.blank? - domain = Mail::Address.new(address).domain - !domain.in?(Danbooru.config.email_domain_verification_list.to_a) + !domain.in?(NONDISPOSABLE_DOMAINS) rescue Mail::Field::IncompleteParseError true end diff --git a/app/models/email_address.rb b/app/models/email_address.rb index 27546f4b3..4d6c09101 100644 --- a/app/models/email_address.rb +++ b/app/models/email_address.rb @@ -32,7 +32,7 @@ class EmailAddress < ApplicationRecord end def self.restricted(restricted = true) - domains = Danbooru.config.email_domain_verification_list + domains = EmailValidator::NONDISPOSABLE_DOMAINS domain_regex = domains.map { |domain| Regexp.escape(domain) }.join("|") if restricted.to_s.truthy? diff --git a/config/danbooru_default_config.rb b/config/danbooru_default_config.rb index d9d891d7d..971cdcec8 100644 --- a/config/danbooru_default_config.rb +++ b/config/danbooru_default_config.rb @@ -551,19 +551,6 @@ module Danbooru nil end - # The whitelist of email domains allowed for account verification purposes. - # If a user signs up from a proxy, they must verify their account using an - # email address from one of the domains on this list before they can do - # anything on the site. This is meant to prevent users from using - # disposable emails to create sockpuppet accounts. - # - # If this list is empty or nil, then there are no restrictions on which - # email domains can be used to verify accounts. - def email_domain_verification_list - # ["gmail.com", "outlook.com", "yahoo.com"] - [] - end - # Cloudflare API token. Used to purge URLs from Cloudflare's cache when a # post is replaced. The token must have 'zone.cache_purge' permissions. # https://support.cloudflare.com/hc/en-us/articles/200167836-Managing-API-Tokens-and-Keys diff --git a/test/functional/emails_controller_test.rb b/test/functional/emails_controller_test.rb index 34d2000a9..117f86213 100644 --- a/test/functional/emails_controller_test.rb +++ b/test/functional/emails_controller_test.rb @@ -166,7 +166,6 @@ class EmailsControllerTest < ActionDispatch::IntegrationTest context "for a Restricted user" do context "with a nondisposable email address" do should "unrestrict the user's account" do - Danbooru.config.stubs(:email_domain_verification_list).returns(["gmail.com"]) @restricted_user.email_address.update!(address: "test@gmail.com") get email_verification_url(@restricted_user) @@ -180,7 +179,6 @@ class EmailsControllerTest < ActionDispatch::IntegrationTest context "with a disposable email address" do should "leave the user's account restricted" do - Danbooru.config.stubs(:email_domain_verification_list).returns(["gmail.com"]) @restricted_user.email_address.update!(address: "test@mailinator.com") get email_verification_url(@restricted_user) @@ -196,8 +194,6 @@ class EmailsControllerTest < ActionDispatch::IntegrationTest context "for a Gold user" do should "not change the user's level" do @user = create(:gold_user, email_address: build(:email_address, { address: "test@gmail.com", is_verified: false })) - Danbooru.config.stubs(:email_domain_verification_list).returns(["gmail.com"]) - get email_verification_url(@user) assert_redirected_to @user