confirmation: Prevent re-use of email change links.

The .status value of EmailChangeStatus was not being looked at anywhere to prevent re-use of email change confirmation links. This is not a security issue, since the EmailChangeStatus object has a fixed value for the new_email, while the confirmation link has expiry time of 1 day, which prevents any reasonable malicious scenarios. We fix this by making get_object_from_key look at confirmation.content_object.status - which applies generally to all confirmations where the attached object has the .status attribute. This is desired, because we never want to successfully get_object_from_key an object that has already been used or reused. This makes the prereg_user.status check in check_prereg_key redundant so it can be deleted.
2025-11-02 04:53:36 +00:00 · 2022-07-25 19:55:35 +02:00
parent 9992c7b6cc
commit 0e2691815e
3 changed files with 28 additions and 7 deletions
--- a/confirmation/models.py
+++ b/confirmation/models.py
@@ -17,6 +17,7 @@ from django.shortcuts import render
 from django.urls import reverse
 from django.utils.timezone import now as timezone_now

+from confirmation import settings as confirmation_settings
 from zerver.lib.types import UnspecifiedValue
 from zerver.models import EmailChangeStatus, MultiuseInvite, PreregistrationUser, Realm, UserProfile

@@ -77,6 +78,13 @@ def get_object_from_key(
    obj = confirmation.content_object
    assert obj is not None

+    used_value = confirmation_settings.STATUS_USED
+    revoked_value = confirmation_settings.STATUS_REVOKED
+    if hasattr(obj, "status") and obj.status in [used_value, revoked_value]:
+        # Confirmations where the object has the status attribute are one-time use
+        # and are marked after being used (or revoked).
+        raise ConfirmationKeyException(ConfirmationKeyException.EXPIRED)
+
    if mark_object_used:
        # MultiuseInvite objects have no status field, since they are
        # intended to be used more than once.