From cc84ea2444136df443aac33651d596cc8dd0b3e1 Mon Sep 17 00:00:00 2001
From: Krzysztof Kotlarek <kotlarek.krzysztof@gmail.com>
Date: Wed, 10 Aug 2022 15:39:26 +1000
Subject: [PATCH] SECURITY: Limit email invitations to topic

---
 app/models/invite.rb       |  2 ++
 spec/models/invite_spec.rb | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/app/models/invite.rb b/app/models/invite.rb
index d4922ecc1e..b0cc7e38b7 100644
--- a/app/models/invite.rb
+++ b/app/models/invite.rb
@@ -113,6 +113,8 @@ class Invite < ActiveRecord::Base
         invite.destroy
         invite = nil
       end
+      email_digest = Digest::SHA256.hexdigest(email)
+      RateLimiter.new(invited_by, "reinvites-per-day-#{email_digest}", 3, 1.day.to_i).performed!
     end
 
     emailed_status = if opts[:skip_email] || invite&.emailed_status == emailed_status_types[:not_required]
diff --git a/spec/models/invite_spec.rb b/spec/models/invite_spec.rb
index be2cd81414..faabf6229d 100644
--- a/spec/models/invite_spec.rb
+++ b/spec/models/invite_spec.rb
@@ -176,6 +176,24 @@ RSpec.describe Invite do
 
         expect(invite.invite_key).not_to eq(another_invite.invite_key)
       end
+
+      context "when email is already invited 3 times" do
+        before do
+          RateLimiter.enable
+          3.times do
+            Invite.generate(user, email: "test@example.com")
+          end
+        end
+
+        after do
+          RateLimiter.clear_all!
+        end
+
+        it "raises an error" do
+          expect { Invite.generate(user, email: "test@example.com") }
+            .to raise_error(RateLimiter::LimitExceeded)
+        end
+      end
     end
 
     context 'when inviting to a topic' do