Skip to content

fix(organization-invite): add validation for disposable emails#5254

Merged
victorvhs017 merged 1 commit intomainfrom
fix/validate-disposable-emails-on-organization-invite
Jan 23, 2026
Merged

fix(organization-invite): add validation for disposable emails#5254
victorvhs017 merged 1 commit intomainfrom
fix/validate-disposable-emails-on-organization-invite

Conversation

@victorvhs017
Copy link
Contributor

@victorvhs017 victorvhs017 commented Jan 23, 2026

Context

We have validation for disposable emails on signup, but not on organization invites.

Steps to verify the change

Try to invite a user with the email infisical@mailinator.com

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
  • Tested locally
  • Updated docs (if needed)
  • Read the contributing guide

feat(membership): add validation for disposable emails during user me…
bdc2618 
…mbership creation

- Implemented a check to prevent the use of disposable emails in the membership user service.
- Throws a BadRequestError if a disposable email is detected, enhancing user input validation.
@maidul98
Copy link
Collaborator

maidul98 commented Jan 23, 2026

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Jan 23, 2026

Greptile Overview

Greptile Summary

This PR adds disposable email validation to organization invite flow, matching existing validation in the signup process.

  • Added isDisposableEmail check in createMembership function to reject invites with disposable emails (e.g., infisical@mailinator.com)
  • Validation happens before user creation and membership setup
  • Critical issue: Missing email format validation before disposable check - malformed inputs could bypass validation since isDisposableEmail uses split('@')[1] without null checks

Confidence Score: 3/5

  • Safe to merge with one logical issue that needs addressing
  • The change correctly adds disposable email validation to organization invites, closing a security gap. However, missing email format validation before the disposable check creates a bypass vulnerability where malformed strings could pass through unchecked
  • backend/src/services/membership-user/membership-user-service.ts requires email format validation before the disposable email check

Important Files Changed

Filename Overview
backend/src/services/membership-user/membership-user-service.ts Added disposable email validation to organization invites, but missing email format validation that could bypass the check

greptile-apps[bot]
greptile-apps bot reviewed Jan 23, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 file reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

@victorvhs017 victorvhs017 merged commit c7ce3e1 into main Jan 23, 2026
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@varonix0 varonix0 varonix0 approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@victorvhs017 @maidul98 @varonix0