JakeHillion/storj
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

satellite/console,web/satellite: remove user input from welcome and invite emails

Browse Source 
Emails should not contain user input that could be used by malicious
agents to deliver a message. Usernames have been removed from
account activation emails, and project names have been removed from
project invitation emails.

References storj-private#133

Change-Id: Ic05921149b409145df109c0966ea5dfd86d86eb1
This commit is contained in:
Jeremy Wharton 2023-01-31 15:22:17 -06:00 committed by Storj Robot
parent 15508d270c
commit 897de167a6
6 changed files with 16 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
satellite/console/consoleweb/consoleapi/auth.go
View File

@ -349,18 +349,13 @@ func (a *Auth) Register(w http.ResponseWriter, r *http.Request) {
}
link := a.ActivateAccountURL + "?token=" + token
userName := user.ShortName
if user.ShortName == "" {
userName = user.FullName
}
a.mailService.SendRenderedAsync(
ctx,
[]post.Address{{Address: user.Email, Name: userName}},
[]post.Address{{Address: user.Email}},
&console.AccountActivationEmail{
ActivationLink: link,
Origin: a.ExternalAddress,
UserName: userName,
},
)
}
@ -684,24 +679,18 @@ func (a *Auth) ResendEmail(w http.ResponseWriter, r *http.Request) {
return
}
userName := user.ShortName
if user.ShortName == "" {
userName = user.FullName
}
link := a.ActivateAccountURL + "?token=" + token
contactInfoURL := a.ContactInfoURL
termsAndConditionsURL := a.TermsAndConditionsURL
a.mailService.SendRenderedAsync(
ctx,
[]post.Address{{Address: user.Email, Name: userName}},
[]post.Address{{Address: user.Email}},
&console.AccountActivationEmail{
Origin: a.ExternalAddress,
ActivationLink: link,
TermsAndConditionsURL: termsAndConditionsURL,
ContactInfoURL: contactInfoURL,
UserName: userName,
},
)
}

7
satellite/console/consoleweb/consoleql/mutation.go
View File

@ -139,6 +139,11 @@ func rootMutation(log *zap.Logger, service *console.Service, mailService *mailse
},
},
Resolve: func(p graphql.ResolveParams) (interface{}, error) {
inviter, err := console.GetUser(p.Context)
if err != nil {
return nil, err
}
pID, _ := p.Args[FieldProjectID].(string)
emails, _ := p.Args[FieldEmail].([]interface{})
@ -182,7 +187,7 @@ func rootMutation(log *zap.Logger, service *console.Service, mailService *mailse
&console.ProjectInvitationEmail{
Origin: origin,
UserName: userName,
ProjectName: project.Name,
InviterEmail: inviter.Email,
SignInLink: signIn,
LetUsKnowURL: letUsKnowURL,
TermsAndConditionsURL: termsAndConditionsURL,

10
satellite/console/emailreminders/chore.go
View File

@ -90,20 +90,15 @@ func (chore *Chore) Run(ctx context.Context) (err error) {
authController := consoleapi.NewAuth(chore.log, nil, nil, nil, nil, nil, "", chore.address, "", "", "", "")
link := authController.ActivateAccountURL + "?token=" + token
userName := u.ShortName
if u.ShortName == "" {
userName = u.FullName
}
// blocking send allows us to verify that links are clicked in tests.
if chore.useBlockingSend {
err = chore.mailService.SendRendered(
ctx,
[]post.Address{{Address: u.Email, Name: userName}},
[]post.Address{{Address: u.Email}},
&console.AccountActivationEmail{
ActivationLink: link,
Origin: authController.ExternalAddress,
UserName: userName,
},
)
if err != nil {
@ -113,11 +108,10 @@ func (chore *Chore) Run(ctx context.Context) (err error) {
} else {
chore.mailService.SendRenderedAsync(
ctx,
[]post.Address{{Address: u.Email, Name: userName}},
[]post.Address{{Address: u.Email}},
&console.AccountActivationEmail{
ActivationLink: link,
Origin: authController.ExternalAddress,
UserName: userName,
},
)
}

5
satellite/console/mail.go
View File

@ -11,7 +11,6 @@ type AccountActivationEmail struct {
ActivationLink string
ContactInfoURL string
TermsAndConditionsURL string
UserName string
}
// Template returns email template name.
@ -41,7 +40,7 @@ func (*ForgotPasswordEmail) Subject() string { return "Password recovery request
type ProjectInvitationEmail struct {
Origin string
UserName string
ProjectName string
InviterEmail string
SignInLink string
LetUsKnowURL string
ContactInfoURL string
@ -53,7 +52,7 @@ func (*ProjectInvitationEmail) Template() string { return "Invite" }
// Subject gets email subject.
func (email *ProjectInvitationEmail) Subject() string {
return "You were invited to join the Project " + email.ProjectName
return "You were invited to join a project on Storj"
}
// UnknownResetPasswordEmail is mailservice template with unknown password reset data.

6
web/satellite/static/emails/Invite.html
View File

@ -422,9 +422,9 @@
<div style="margin: 12px 20px;">
<div style="mso-line-height-rule: exactly;mso-text-raise: 4px;">
<p class="size-20" style="Margin-top: 0;Margin-bottom: 0;font-family: 'montserrat','dejavu sans','verdana',sans-serif;font-size: 17px;line-height: 26px;" lang="x-size-20">
<span class="font-montserrat">You were invited to the
<a href="{{ .Origin }}" style="color: #2683ff; text-decoration: none; font-weight: bold;">{{ .ProjectName }}</a>
on Storj
<span class="font-montserrat">You were invited to join
<a href="{{ .Origin }}" style="color: #2683ff; text-decoration: none; font-weight: bold;">a project</a>
on Storj by {{ .InviterEmail }}
</span>
</p>
<p class="size-20"

2
web/satellite/static/emails/Welcome.html
View File

@ -154,7 +154,7 @@
<div style="font-family: 'Roboto', 'Tahoma', 'Verdana', 'Segoe', sans-serif;
line-height: 1.2; font-size: 12px; color: #000000; mso-line-height-alt: 14px;">
<p style="font-size: 14px; line-height: 1.2; mso-line-height-alt: 17px; margin: 0;">
<span style="font-size: 18px;">Hi {{ .UserName }},</span>
<span style="font-size: 18px;">Hi,</span>
</p>
<p style="font-size: 12px; line-height: 1.2; mso-line-height-alt: 14px; margin: 0;"><br>
<span style="font-size: 18px;">You created an account on Storj.