diff --git a/.reek b/.reek index 54bff8852c2..8519287f83d 100644 --- a/.reek +++ b/.reek @@ -49,6 +49,7 @@ FeatureEnvy: - Idv::Proofer#validate_vendors - PersonalKeyGenerator#create_legacy_recovery_code - TwoFactorAuthenticationController#capture_analytics_for_exception + - Users::SessionsController#configure_permitted_parameters InstanceVariableAssumption: exclude: - User @@ -59,6 +60,7 @@ ManualDispatch: exclude: - EncryptedSidekiqRedis#respond_to_missing? - CloudhsmKeyGenerator#initialize_settings + - Users::SessionsController#configure_permitted_parameters NestedIterators: exclude: - UserFlowExporter#self.massage_html diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb index 31a53946858..3372aae0914 100644 --- a/app/controllers/users/sessions_controller.rb +++ b/app/controllers/users/sessions_controller.rb @@ -9,6 +9,7 @@ class SessionsController < Devise::SessionsController skip_before_action :require_no_authentication, only: [:new] before_action :check_user_needs_redirect, only: [:new] before_action :apply_secure_headers_override, only: [:new] + before_action :configure_permitted_parameters, only: [:new] def new analytics.track_event( @@ -48,6 +49,12 @@ def timeout private + def configure_permitted_parameters + devise_parameter_sanitizer.permit(:sign_in) do |user_params| + user_params.permit(:email) if user_params.respond_to?(:permit) + end + end + def redirect_to_signin controller_info = 'users/sessions#create' analytics.track_event(Analytics::INVALID_AUTHENTICITY_TOKEN, controller: controller_info) diff --git a/spec/requests/invalid_sign_in_params_spec.rb b/spec/requests/invalid_sign_in_params_spec.rb new file mode 100644 index 00000000000..c0dd3dc1b33 --- /dev/null +++ b/spec/requests/invalid_sign_in_params_spec.rb @@ -0,0 +1,7 @@ +require 'rails_helper' + +describe 'visiting sign in page with invalid user params' do + it 'does not raise an exception' do + get new_user_session_path, params: { user: 'test@test.com' } + end +end