rodrigo/iachat
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
fd5ac2a8a3
iachat/config
History
João Pedro Baza Garcia Rodrigues 4d362da9f0
fix: Prevent user enumeration on password reset endpoint (#13528) 
## Description

The current password reset endpoint returns different HTTP status codes
and messages depending on whether the email exists in the system (200
for existing emails, 404 for non-existing ones). This allows attackers
to enumerate valid email addresses via the password reset form.

## Changes

### `app/controllers/devise_overrides/passwords_controller.rb`
- Removed the `if/else` branch that returned different responses based
on email existence
- Now always returns a generic `200 OK` response with the same message
regardless of whether the email exists
- Uses safe navigation operator (`&.`) to send reset instructions only
if the user exists

### `config/locales/en.yml`
- Consolidated `reset_password_success` and `reset_password_failure`
into a single generic `reset_password` key
- New message does not reveal whether the email exists in the system

## Security Impact
- **Before**: An attacker could determine if an email was registered by
observing the HTTP status code (200 vs 404) and response message
- **After**: All requests receive the same 200 response with a generic
message, preventing user enumeration

This follows [OWASP guidelines for authentication error
messages](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-responses).

Fixes #13527
2026-02-13 13:45:40 +05:30
..
agents feat: add more tools (#12116) 2025-08-08 17:57:30 +05:30
environments chore: Improvements to codespaces (#11635) 2025-05-29 21:18:02 -06:00
initializers fix: velma connection limit (#13395) 2026-01-29 20:53:41 +05:30
integration feat: notion OAuth setup (#11765) 2025-06-26 19:16:06 +05:30
languages feat: Updated public portal header design (#8089) 2023-11-08 17:56:59 -08:00
locales fix: Prevent user enumeration on password reset endpoint (#13528) 2026-02-13 13:45:40 +05:30
app.yml Bump version to 4.10.1 2026-01-20 08:43:11 -08:00
application.rb Revert "chore: Upgrade Rails to 7.2.2 and update Gemfile dependencies (#11037)" 2026-02-03 21:09:42 -08:00
boot.rb Upgrade to rails 6 💎 (#11) 2019-08-19 13:49:57 +05:30
cable.yml fix: Redis 6 on Heroku breaks ActionCable config (#4269) 2022-03-24 19:25:07 +05:30
database.yml perf: enable active record connection pool reaper (#10866) 2025-03-17 19:27:05 -07:00
elastic_apm.yml chore: Support for Elastic APM (#5004) 2022-07-22 11:39:37 +02:00
environment.rb Initial Commit 2019-08-14 15:18:44 +05:30
features.yml fix: V2 Assignment service enhancements (#13036) 2026-02-11 12:24:45 +05:30
installation_config.yml feat: add per-account daily rate limit for outbound emails (#13411) 2026-02-03 02:06:51 +05:30
llm.yml feat: add global config for captain settings (#13141) 2026-01-12 19:54:19 +05:30
markdown_embeds.yml fix: Update Arcade embed aspect ratio (#12923) 2025-11-24 20:22:27 +05:30
newrelic.yml fix: logic error when setting new relic logging forwarding (#8687) 2024-01-11 21:05:04 +05:30
puma.rb chore: Fix puma configuration (#5023) 2022-07-12 12:27:33 +02:00
rds-ca-2019-root.pem chore: add aws rds root cert for tls connection (#3812) 2022-02-01 16:01:25 +05:30
routes.rb feat: Add standalone outgoing messages count API endpoint (#13419) 2026-02-04 19:36:50 +05:30
schedule.yml chore: temporarily disable ProcessStaleContactsJob (#13462) 2026-02-06 13:27:51 +05:30
scout_apm.yml chore: Load only required APMs (#6497) 2023-03-01 14:31:51 +05:30
secrets.yml Use secret_key_base from env 2019-08-15 23:08:36 +05:30
sidekiq.yml chore: add script to throttle bulkreindex job creation and increase meta timeouts(#12626) 2025-10-13 16:21:45 +05:30
spring.rb 🚨Fix Rubocop lint errors 2019-10-20 14:17:26 +05:30
storage.yml Revert "chore: Upgrade Rails to 7.2.2 and update Gemfile dependencies (#11037)" 2026-02-03 21:09:42 -08:00
vite.json feat: Vite + vue 3 💚 (#10047) 2024-10-02 00:36:30 -07:00