From 3d1e6af8d56baebf8a35535d8346808fbe5c055e Mon Sep 17 00:00:00 2001
From: Denis Arh <denis.arh@gmail.com>
Date: Wed, 8 Apr 2020 17:17:46 +0200
Subject: [PATCH] Harden user data input check

---
 system/service/user.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/system/service/user.go b/system/service/user.go
index dced71f9a..4381ed994 100644
--- a/system/service/user.go
+++ b/system/service/user.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"github.com/cortezaproject/corteza-server/pkg/handle"
 	"io"
+	"net/mail"
 	"regexp"
 	"strconv"
 	"strings"
@@ -27,6 +28,7 @@ const (
 	ErrUserHandleNotUnique    = serviceError("UserHandleNotUnique")
 	ErrUserUsernameNotUnique  = serviceError("UserUsernameNotUnique")
 	ErrUserEmailNotUnique     = serviceError("UserEmailNotUnique")
+	ErrUserInvalidEmail       = serviceError("UserInvalidEmail")
 	ErrUserLocked             = serviceError("UserLocked")
 
 	maskPrivateDataEmail = "####.#######@######.###"
@@ -257,6 +259,10 @@ func (svc user) Create(new *types.User) (u *types.User, err error) {
 		return nil, ErrInvalidHandle.withStack()
 	}
 
+	if _, err := mail.ParseAddress(new.Email); err != nil {
+		return nil, ErrUserInvalidEmail.withStack()
+	}
+
 	if svc.subscription != nil {
 		// When we have an active subscription, we need to check
 		// if users can be creare or did this deployment hit
@@ -304,6 +310,10 @@ func (svc user) Update(upd *types.User) (u *types.User, err error) {
 		return nil, ErrInvalidHandle.withStack()
 	}
 
+	if _, err := mail.ParseAddress(upd.Email); err != nil {
+		return nil, ErrUserInvalidEmail.withStack()
+	}
+
 	if u, err = svc.user.FindByID(upd.ID); err != nil {
 		return
 	}