search

sul-dlss / happy-heron

Self-Deposit for the Stanford Digital Repository (SDR): H2 is a Rails web application enabling users to deposit scholarly content into SDR
Apache License 2.0
10 stars 2 forks source link

Verify email informaton prior to sending #3553

Open honeybadger[bot] opened 6 months ago

honeybadger[bot] commented 6 months ago

The HelpsController allows non-logged in users to send a help email, and the required attribute on form elements ensures that the email is supplied.

However we've had a case where a bot discovered the form and submitted it, which generated a bunch of HelpsMailer Sidekiq jobs which failed, because the From address was not supplied (taken from the email input element).

Perhaps the controller should verify the input before sending off the email job?

Here's an example of a Honeybadger notification:

https://app.honeybadger.io/projects/77112/faults/108352644

And the non-Shibboleth request that generated it:

66.94.113.176 - "" [02/Jun/2024:17:51:05 -0700] "POST /help HTTP/1.1" 200 327 "https://sdr.stanford.edu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36"

Other request activity from that IP address makes it clear that it was a bot probing for vulnerabilities.