reject requests with invalid email format

weseek · Sep 27, 2024 · 55dff1c · 55dff1c
1 parent e5c1fa2
commit 55dff1c
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/apps/app/src/server/routes/apiv3/forgot-password.js b/apps/app/src/server/routes/apiv3/forgot-password.js
@@ -62,11 +62,16 @@ module.exports = (crowi) => {
   }
 
   router.post('/', checkPassportStrategyMiddleware, addActivity, async(req, res) => {
+    const validEmailRegexp = new RegExp(/^[\w+\-.]+@[a-z\d\-.]+\.[a-z]+$/, 'i');
     const { email } = req.body;
     const locale = configManager.getConfig('crowi', 'app:globalLang');
     const appUrl = appService.getSiteUrl();
 
     try {
+      if (!validEmailRegexp.test(email.toString())) {
+        throw new Error('invalid email format.');
+      }
+
       const user = await User.findOne({ email });
 
       // when the user is not found or active