Reject OmniAuth sign in when email is too long (!161205) · Merge requests · GitLab.org / GitLab

Drew Blessing requested to merge dblessing_oauth_email_limit into master Jul 30, 2024

What does this MR do and why?

If an email passed via OmniAuth is longer than 254 characters, reject the sign in attempt and do not create/update the user. Normalizing extremely long strings can be intensive and email addresses should not be longer than 254 characters per spec.

Of note, we do not limit email address length in other areas of the application. We may want to consider that in the future. I queried Gitlab.com to see if we had any email addresses longer than 254 characters. It appears we do not, which is great news. It means we should be extra safe from this change though it only affects new users.

Query: Email.where('length(email)>254').count => 0

See related issue for more details: https://gitlab.com/gitlab-org/gitlab/-/issues/460714

Feature flag rollout: #475077 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

In rails console enable the feature flag

Feature.enable(:omniauth_validate_email_length)

Follow instructions in the issue

Edited Aug 06, 2024 by Drew Blessing

Reject OmniAuth sign in when email is too long

What does this MR do and why?

MR acceptance checklist

Screenshots or screen recordings

How to set up and validate locally

Merge request reports