Lack of data validation - Emails
Need
Implementation of email validation to prevent registration with disposable mailboxes
Context
- Usage of PHP 7.0 for server-side scripting and web development
- Usage of Request for making HTTP requests
- Usage of the User module for managing user-related functionality
- Usage of Hash for secure password storage and data encryption
Description
Non compliant code
public function register(Request $request) {
$email = $request->input('email');
$user = new User();
$user->email = $email;
$user->password = Hash::make($request->input('password'));
$user->save();
return response()->json('User registered successfully!', 200);
}
The above code is a simple Laravel function for registering a new user. The function takes an HTTP request as input, extracts the 'email' and 'password' fields from the request, hashes the password using Laravel's Hash facade, and saves the new user to the database.
The vulnerability lies in the fact that there's no validation being done on the email provided by the user. Particularly, the code doesn't check if the email address belongs to a disposable mailbox such as yopmail. This could potentially allow an attacker to use a disposable email address to register multiple fake accounts, which could be used for spamming, trolling, or other malicious activities.
Steps
- Create a list of disposable email domains that you want to block. This list should include domains like 'yopmail.com'.
- Before saving the user's email, parse the email address to extract the domain.
- Check if the extracted domain is in the list of blocked domains.
- If the domain is in the list, return an error message to the user indicating that disposable email addresses are not allowed.
- If the domain is not in the list, proceed with the user registration process as usual.
Compliant code
public function register(Request $request) {
$email = $request->input('email');
$emailDomain = substr(strrchr($email, "@"), 1);
$blockedDomains = ['yopmail.com', 'tempmail.com', '10minutemail.com']; // Add more disposable email domains as needed
if(in_array($emailDomain, $blockedDomains)) {
return response()->json('Disposable email addresses are not allowed.', 400);
}
$user = new User();
$user->email = $email;
$user->password = Hash::make($request->input('password'));
$user->save();
return response()->json('User registered successfully!', 200);
}
The updated code now includes a check for disposable email addresses.
First, we extract the domain from the email address provided by the user. This is done by using the substr and strrchr functions to get the substring after the "@" symbol.
Next, we define a list of blocked domains. This list includes 'yopmail.com', 'tempmail.com', and '10minutemail.com', but you can add more disposable email domains as needed.
We then check if the extracted email domain is in the list of blocked domains using the in_array function. If the domain is in the list, we return a 400 response with an error message indicating that disposable email addresses are not allowed.
If the domain is not in the list of blocked domains, we proceed with the user registration process as usual. The user's email and hashed password are saved, and a 200 response is returned with a success message.