Merge pull request #3908 from EifonUser/SHARE-518

SHARE-518 Enhance Email validation

src/Api/Services/User/UserRequestValidator.php

@@ -84,13 +84,17 @@ public function validateResetPasswordRequest(ResetPasswordRequest $request, stri
   private function validateEmail(?string $email, string $locale, string $mode): void
   {
     $KEY = 'email';
+    $emailParts = explode('.', $email);
+    $tld = strtolower(end($emailParts));
 
     if (self::MODE_UPDATE !== $mode && (is_null($email) || '' === trim($email))) {
       $this->getValidationWrapper()->addError($this->__('api.registerUser.emailMissing', [], $locale), $KEY);
     } elseif (self::MODE_UPDATE === $mode && '' === trim($email)) {
       $this->getValidationWrapper()->addError($this->__('api.registerUser.emailEmpty', [], $locale), $KEY);
     } elseif (0 !== count($this->validate($email, new Email()))) {
       $this->getValidationWrapper()->addError($this->__('api.registerUser.emailInvalid', [], $locale), $KEY);
+    } elseif (!$this->isValidTLD($tld)) {
+      $this->getValidationWrapper()->addError($this->__('api.registerUser.emailInvalid', [], $locale), $KEY);
     } elseif (self::MODE_RESET_PASSWORD !== $mode && null != $this->user_manager->findUserByEmail($email)) {
       $this->getValidationWrapper()->addError($this->__('api.registerUser.emailAlreadyInUse', [], $locale), $KEY);
     }
@@ -169,4 +173,32 @@ private function validateAndResizePicture(string $picture_in, ?string &$picture_
       $this->getValidationWrapper()->addError($this->__('api.registerUser.pictureInvalid', [], $locale), $KEY);
     }
   }
+
+  private function getValidTLDs(): array
+  {
+    $validTLDs = [];
+    $pslFile = file_get_contents('https://publicsuffix.org/list/public_suffix_list.dat');
+    $pslLines = explode("\n", $pslFile);
+
+    foreach ($pslLines as $line) {
+      $line = trim($line);
+      if ('' == $line || '/' == $line[0] || '!' == $line[0]) {
+        continue;
+      }
+
+      $tld = ltrim($line, '*.');
+      if (!in_array($tld, $validTLDs, true)) {
+        $validTLDs[] = $tld;
+      }
+    }
+
+    return $validTLDs;
+  }
+
+  private function isValidTLD(string $tld): bool
+  {
+    $validTLDs = $this->getValidTLDs();
+
+    return in_array($tld, $validTLDs, true);
+  }
 }

tests/BehatFeatures/api/user/POST_user/user_register.feature

@@ -266,3 +266,25 @@ Feature: Registering a new user.
     And I have a request header "CONTENT_TYPE" with value "application/json"
     And I request "POST" "/api/user"
     Then the response status code should be "406"
+
+  Scenario: Invalid TLD in email
+
+  Given I have the following JSON request body:
+    """
+      {
+        "dry-run": true,
+        "email": "testqtest.invalid",
+        "username": "invalidTLD",
+        "password": "1234asdf"
+      }
+    """
+    And I have a request header "CONTENT_TYPE" with value "application/json"
+    And I have a request header "HTTP_ACCEPT" with value "application/json"
+    And I request "POST" "/api/user"
+    Then the response status code should be "422"
+    And I should get the json object:
+    """
+      {
+        "email": "Email invalid"
+      }
+    """

tests/BehatFeatures/api/user/PUT_user/update_user.feature

@@ -233,3 +233,22 @@ Feature: Update user
     """
     And I request "PUT" "/api/user"
     Then the response code should be "415"
+
+  Scenario: Update email with invalid TLD
+    Given I use a valid JWT Bearer token for "Catroweb"
+    And I have a request header "HTTP_ACCEPT" with value "application/json"
+    And I have a request header "CONTENT_TYPE" with value "application/json"
+    And I have the following JSON request body:
+    """
+      {
+        "email": "[email protected]"
+      }
+    """
+    And I request "PUT" "/api/user"
+    Then the response code should be "422"
+    And I should get the json object:
+    """
+      {
+        "email": "Email invalid"
+      }
+    """