Merge pull request #179 from uclibs/148-format-validation-vulnerability

148 format validation vulnerability

app/models/submitter.rb

@@ -5,7 +5,7 @@ class Submitter < ApplicationRecord
   validates :first_name, presence: true
   validates :last_name, presence: true
   validates :mailing_address, presence: true
-  validates :phone_number, presence: true, format: { with: /\d{3}-\d{3}-\d{4}/, message: 'Please use the format 111-111-1111' }
+  validates :phone_number, presence: true, format: { with: /\A\d{3}-\d{3}-\d{4}\z/, message: 'Please use the format 111-111-1111' }
   validates :email_address, presence: true, format: { with: URI::MailTo::EMAIL_REGEXP, message: 'Please enter a valid email' }
 
   def self.to_csv

spec/models/submitter_spec.rb

@@ -26,18 +26,32 @@
     expect(subject).to_not be_valid
   end
 
+  it 'is valid with a properly formatted phone_number' do
+    subject.phone_number = '111-111-1111'
+    expect(subject).to be_valid
+  end
+
   it 'is not valid without a phone_number' do
     subject.phone_number = nil
     expect(subject).to_not be_valid
   end
 
-  it 'is not valid without a email_address' do
-    subject.email_address = nil
-    expect(subject).to_not be_valid
+  it 'is not valid with an improperly formatted phone_number' do
+    [
+      '1111111111',       # no dashes
+      '111-1111-1111',    # too many digits
+      '11-111-1111',      # too few digits
+      '111-111-1111abc',  # additional characters
+      'abc111-111-1111',  # additional characters
+      '1-111-111-1111'    # too many sections and digits
+    ].each do |invalid_number|
+      subject.phone_number = invalid_number
+      expect(subject).to_not be_valid, "Expected #{invalid_number} to be invalid"
+    end
   end
 
-  it 'is not valid without a formatted phone_number' do
-    subject.phone_number = '1111111111'
+  it 'is not valid without a email_address' do
+    subject.email_address = nil
     expect(subject).to_not be_valid
   end