From efeb4eaa8c27a65a1516af92c44273fcfbee87f5 Mon Sep 17 00:00:00 2001
From: abichan99911111 <shinei-a@weseek.co.jp>
Date: Fri, 27 Sep 2024 08:36:56 +0000
Subject: [PATCH] reject requests with invalid format

---
 apps/app/src/server/routes/apiv3/forgot-password.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apps/app/src/server/routes/apiv3/forgot-password.js b/apps/app/src/server/routes/apiv3/forgot-password.js
index cb8a8c84071..8ed909df7c6 100644
--- a/apps/app/src/server/routes/apiv3/forgot-password.js
+++ b/apps/app/src/server/routes/apiv3/forgot-password.js
@@ -62,11 +62,16 @@ module.exports = (crowi) => {
   }
 
   router.post('/', checkPassportStrategyMiddleware, addActivity, async(req, res) => {
+    const validEmailRegexp = new RegExp(/^[\w+\-.]+@[a-z\d\-.]+\.[a-z]+$/, 'i');
     const { email } = req.body;
     const locale = configManager.getConfig('crowi', 'app:globalLang');
     const appUrl = appService.getSiteUrl();
 
     try {
+      if (!validEmailRegexp.test(email.toString())) {
+        throw new Error('invalid email format.');
+      }
+
       const user = await User.findOne({ email });
 
       // when the user is not found or active