From 91a90ca1d9ad2d5a6c2d7b8a4754cdcdd2a7ab44 Mon Sep 17 00:00:00 2001
From: Dulguun Otgon <dulguun0225@gmail.com>
Date: Thu, 21 Oct 2021 17:12:58 +0800
Subject: [PATCH] fix(regex exploit): Fixed a catastrophic backtracking exploit

https://huntr.dev/bounties/a5c41c37-4ba3-4623-af4f-2ebdbe374b32/?token=83c7143ffb30c582837e283f54634090bbd35ea31ab5b0ad74b9ca6b0660faff2ee8dcd07b9ff7fa7dbd5999f845d8f82b97d9e559d5c4cac4fb51b608d4a1946a0448efa37acac9b3fbb317cb13c232610b966a35ccca4a842f36c2f61b845aa741451dd4c9dcaafe606eb479db10475d9830465028ffea1169530730061dbb
---
 api/src/db/models/definitions/users.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/api/src/db/models/definitions/users.ts b/api/src/db/models/definitions/users.ts
index 6e56fa91347..841b2ddc53e 100644
--- a/api/src/db/models/definitions/users.ts
+++ b/api/src/db/models/definitions/users.ts
@@ -107,7 +107,10 @@ export const userSchema = schemaHooksWrapper(
       type: String,
       unique: true,
       match: [
-        /^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,10})+$/,
+        /**
+         * RFC 5322 compliant regex. Taken from http://emailregex.com/
+         */
+        /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/,
         'Please fill a valid email address'
       ],
       label: 'Email'