ldap: Prevent creation of users with malformed email value.

2021-06-09 15:39:18 +02:00 · 2021-06-09 15:39:18 +02:00 · b1da5d9d76
parent 18dab5619c
commit b1da5d9d76
2 changed files with 32 additions and 0 deletions
--- a/zerver/tests/test_signup.py
+++ b/zerver/tests/test_signup.py
@ -4283,6 +4283,28 @@ class UserSignUpTest(InviteUserBase):
            )
            self.assertEqual(phone_number_field_value.value, "a-new-number")

+    @override_settings(AUTHENTICATION_BACKENDS=("zproject.backends.ZulipLDAPAuthBackend",))
+    def test_ldap_auto_registration_on_login_invalid_email_in_directory(self) -> None:
+        password = self.ldap_password("newuser_with_email")
+        username = "newuser_with_email"
+        subdomain = "zulip"
+
+        self.init_default_ldap_database()
+
+        self.change_ldap_user_attr("newuser_with_email", "mail", "thisisnotavalidemail")
+
+        with self.settings(
+            LDAP_EMAIL_ATTR="mail",
+        ), self.assertLogs("zulip.auth.ldap", "WARNING") as mock_log:
+            original_user_count = UserProfile.objects.count()
+            self.login_with_return(username, password, HTTP_HOST=subdomain + ".testserver")
+            # Verify that the process failed as intended - no UserProfile is created.
+            self.assertEqual(UserProfile.objects.count(), original_user_count)
+            self.assertEqual(
+                mock_log.output,
+                ["WARNING:zulip.auth.ldap:thisisnotavalidemail is not a valid email address."],
+            )
+
    @override_settings(AUTHENTICATION_BACKENDS=("zproject.backends.ZulipLDAPAuthBackend",))
    def test_ldap_registration_multiple_realms(self) -> None:
        password = self.ldap_password("newuser")
--- a/zproject/backends.py
+++ b/zproject/backends.py
@ -832,6 +832,16 @@ class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):
            # deactivated, so we shouldn't create a new user account
            raise ZulipLDAPException("Realm has been deactivated")

+        try:
+            validate_email(username)
+        except ValidationError:
+            error_message = f"{username} is not a valid email address."
+            # This indicates a misconfiguration of ldap settings
+            # or a malformed email value in the ldap directory,
+            # so we should log a warning about this before failing.
+            self.logger.warning(error_message)
+            raise ZulipLDAPException(error_message)
+
        # Makes sure that email domain hasn't be restricted for this
        # realm.  The main thing here is email_allowed_for_realm; but
        # we also call validate_email_not_already_in_realm just for consistency,