mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-30 14:22:07 +03:00
0029c444ad
refs https://github.com/TryGhost/Product/issues/3651 - This is a security fix that addresses an issue causing malicious users to abuse the test / preview email API endpoint. - We have multiple procedures in place now to limit such users. - First, we now only allow one email address to be passed into the `sendTestEmail` method. This method only have one purpose, which is to compliment the test email functionality within the Editor in Admin and therefore have no reason to send to more than one email address at a time. - We then add an additional rate limiter to prevent a user from making multiple requests, eg via a script. - The new imposed limit is 10 test emails per hour.
52 lines
1.6 KiB
JavaScript
52 lines
1.6 KiB
JavaScript
// Decided to have this test separately from the other email preview tests since the rate limiter would interfere with the other tests
|
|
|
|
const {agentProvider, fixtureManager, mockManager, configUtils} = require('../../utils/e2e-framework');
|
|
const sinon = require('sinon');
|
|
const DomainEvents = require('@tryghost/domain-events');
|
|
|
|
async function allSettled() {
|
|
await DomainEvents.allSettled();
|
|
}
|
|
|
|
describe('Rate limiter', function () {
|
|
let agent;
|
|
|
|
afterEach(function () {
|
|
mockManager.restore();
|
|
sinon.restore();
|
|
});
|
|
|
|
beforeEach(function () {
|
|
mockManager.mockMailgun();
|
|
});
|
|
|
|
before(async function () {
|
|
agent = await agentProvider.getAdminAPIAgent();
|
|
await fixtureManager.init('users', 'newsletters', 'posts');
|
|
await agent.loginAsOwner();
|
|
});
|
|
|
|
it('is rate limited against spammmer requests', async function () {
|
|
const testEmailSpamBlock = configUtils.config.get('spam').email_preview_block;
|
|
const requests = [];
|
|
for (let i = 0; i < testEmailSpamBlock.freeRetries + 1; i += 1) {
|
|
const req = await agent
|
|
.post(`email_previews/posts/${fixtureManager.get('posts', 0).id}/`)
|
|
.body({
|
|
emails: ['test@ghost.org']
|
|
});
|
|
requests.push(req);
|
|
}
|
|
await Promise.all(requests);
|
|
|
|
await agent
|
|
.post(`email_previews/posts/${fixtureManager.get('posts', 0).id}/`)
|
|
.body({
|
|
emails: ['test@ghost.org']
|
|
})
|
|
.expectStatus(429);
|
|
|
|
await allSettled();
|
|
});
|
|
});
|