Implementation of email validation to prevent registration with disposable mailboxes
public function register(Request $request) {
$email = $request->input('email');
$user = new User();
$user->email = $email;
$user->password = Hash::make($request->input('password'));
$user->save();
return response()->json('User registered successfully!', 200);
}
The above code is a simple Laravel function for registering a new user. The function takes an HTTP request as input, extracts the 'email' and 'password' fields from the request, hashes the password using Laravel's Hash facade, and saves the new user to the database.
The vulnerability lies in the fact that there's no validation being done on the email provided by the user. Particularly, the code doesn't check if the email address belongs to a disposable mailbox such as yopmail. This could potentially allow an attacker to use a disposable email address to register multiple fake accounts, which could be used for spamming, trolling, or other malicious activities.
public function register(Request $request) {
$email = $request->input('email');
$emailDomain = substr(strrchr($email, "@"), 1);
$blockedDomains = ['yopmail.com', 'tempmail.com', '10minutemail.com']; // Add more disposable email domains as needed
if(in_array($emailDomain, $blockedDomains)) {
return response()->json('Disposable email addresses are not allowed.', 400);
}
$user = new User();
$user->email = $email;
$user->password = Hash::make($request->input('password'));
$user->save();
return response()->json('User registered successfully!', 200);
}
The updated code now includes a check for disposable email addresses.
First, we extract the domain from the email address provided by the user. This is done by using the
substr
and
strrchr
functions to get the substring after the "@" symbol.
Next, we define a list of blocked domains. This list includes 'yopmail.com', 'tempmail.com', and '10minutemail.com', but you can add more disposable email domains as needed.
We then check if the extracted email domain is in the list of blocked domains using the
in_array
function. If the domain is in the list, we return a 400 response with an error message indicating that disposable email addresses are not allowed.
If the domain is not in the list of blocked domains, we proceed with the user registration process as usual. The user's email and hashed password are saved, and a 200 response is returned with a success message.