Adds an option to strictly enforce single recipients for emails #5680
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Devise sends email containing sensitive values such as confirmation URLs, password reset URLs, and unlock URLs. In most (all?) cases, these should only be sent to a single person so that they alone can click the link. If the email is sent to multiple addresses, another person could click the link.
Set
Devise.strict_single_recipient_emails
to an array of actions to raise an error when the email would be sent to more than one email address.By default Devise is secure:
Devise.email_regexp
will reject email addresses containing separators (,;
)record.email
However, when using
opts
, and particularly if providing untrusted user input toopts
, multiple values could be present into:
,cc:
, orbcc:
.Example:
This work is similar to what I introduced at GitLab, but disabled by default and more configurable:
a) to avoid breaking changes,
b) to make it easier to enable for a subset of actions
GitLab MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/145753
This is my first contribution to Devise - very happy to receive feedback and change things up as needed ❤️ Also fine if you'd rather not include this change 👍