Merge pull request from GHSA-49r3-2549-3633

Use only verified email address to prevent fake email address
nhosoya · Dec 3, 2020 · 98542c0 · 98542c0
2 parents 45cf13d + 71c5db4
commit 98542c0
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 ## [Unreleased]
 
+## [1.0.1] - 2020-12-xx
+
+### Security
+
+- Use only verified email address to prevent fake email address
+
 ## [1.0.0] - 2020-06-26
 
 ### Added
@@ -33,3 +39,4 @@
 
 [Unreleased]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.0...master
 [1.0.0]: https://github.com/nhosoya/omniauth-apple/compare/v0.0.3...v1.0.0
+[1.0.1]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.0...v1.0.1
diff --git a/lib/omniauth/apple/version.rb b/lib/omniauth/apple/version.rb
@@ -1,5 +1,5 @@
 module OmniAuth
   module Apple
-    VERSION = "1.0.0"
+    VERSION = "1.0.1"
   end
 end
diff --git a/lib/omniauth/strategies/apple.rb b/lib/omniauth/strategies/apple.rb
@@ -104,7 +104,7 @@ def user_info
       end
 
       def email
-        user_info['email'] || id_info['email']
+        id_info['email']
       end
 
       def first_name

diff --git a/spec/omniauth/strategies/apple_spec.rb b/spec/omniauth/strategies/apple_spec.rb
@@ -252,6 +252,21 @@
       end
     end
 
+    context 'with a spoofed email in the user payload' do
+      before do
+        request.params['user'] = {
+          name: {
+            firstName: 'first',
+            lastName: 'last'
+          },
+          email: "[email protected]"
+        }.to_json
+      end
+
+      it 'should return the true email' do
+        expect(subject.info[:email]).to eq('[email protected]')
+      end
+    end
   end
 
   describe '#extra' do