Commits on Apr 3, 2024

1. Adds an option to strictly enforce single recipients for emails …

   Devise sends email containing sensitive values such as confirmation
   URLs, password reset URLs, and unlock URLs. In most (all?) cases, these
   should only be sent to a single person so that they alone can click the
   link. If the email is sent to multiple addresses, another person could
   click the link.
   
   Set `Devise.strict_single_recipient_emails` to an array of actions to
   raise an error when the email would be sent to more than one email
   address.
   
   By default Devise is secure:
   
   - `Devise.email_regexp` will reject email addresses containing
   separators (`,;`)
   - Devise gets a single email address from `record.email`
   
   However, when using `opts`, and particularly if providing untrusted
   user input to `opts`, multiple values could be present in `to:`, `cc:`,
   or `bcc:`.
   
   Example:
   
   ```ruby
   # POST https://your-app.com/customised-reset-password?email[]="[email protected]"&email[]="[email protected]"
   
   # Returns the victim's user
   user = User.find_by(email: params[:email])
   
   # unsafe, will send the link to two addresses:
   Devise.mailer.reset_password_instructions(user, 'fake-token', {to: params[:email]})
   
   # safe, devise will use the user's email address
   Devise.reset_password_instructions(user, 'fake-token')
   
   # safe, will raise error:
   Devise.strict_single_recipient_emails = [
     :confirmation_instructions,
     :reset_password_instructions,
     :unlock_instructions
   ]
   Devise.mailer.reset_password_instructions(user, 'fake-token', {to: params[:email]})
   ```

   

   nickmalcolm committed Apr 3, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for c0b2765
   • Browse repository at this point

   Copy the full SHA

   c0b2765 View commit details

   Browse the repository at this point in the history