When a user verifies with the bot they are prompted to provide an email address to verify they belong to the domain the bot has been set up with.
The bot detects if the domain is present, but does not filter out multiple emails. It is possible to 'inject' your own random email followed by a comma and a fake institutional email to gain access to any server.
I have tried to be as unintrusive as possible with a fix, but do not have the ability to test these changes. Please note this adds the requirement for regular expressions.
Checklist
[x] This PR fixes an issue.
[ ] This PR adds something new (e.g. new method or parameters).
[ ] This PR is a breaking change (e.g. methods or parameters removed/renamed)
[ ] This PR is not a code change (e.g. documentation, README, ...)
Summary
When a user verifies with the bot they are prompted to provide an email address to verify they belong to the domain the bot has been set up with. The bot detects if the domain is present, but does not filter out multiple emails. It is possible to 'inject' your own random email followed by a comma and a fake institutional email to gain access to any server.
I have tried to be as unintrusive as possible with a fix, but do not have the ability to test these changes. Please note this adds the requirement for regular expressions.
Checklist
CHANGELOG.mdunder the[Unreleased]heading?documentation.json?