Add a validator to reject AMO URLs (#9722)
This commit is contained in:
Родитель
9988dd7268
Коммит
256e8a1714
|
@ -1,7 +1,8 @@
|
|||
import re
|
||||
|
||||
from django.conf import settings
|
||||
from django.core import exceptions
|
||||
from django.core.validators import URLValidator
|
||||
from django.core.validators import RegexValidator, URLValidator
|
||||
from django.db import models
|
||||
from django.forms import fields
|
||||
from django.utils.translation import ugettext, ugettext_lazy as _
|
||||
|
@ -38,7 +39,24 @@ class URLValidatorBackport(URLValidator):
|
|||
|
||||
|
||||
class HttpHttpsOnlyURLField(fields.URLField):
|
||||
default_validators = [URLValidatorBackport(schemes=('http', 'https'))]
|
||||
|
||||
def __init__(self, *args, **kwargs):
|
||||
super(HttpHttpsOnlyURLField, self).__init__(*args, **kwargs)
|
||||
|
||||
self.validators = [
|
||||
URLValidatorBackport(schemes=('http', 'https')),
|
||||
# Reject AMO URLs, see:
|
||||
# https://github.com/mozilla/addons-server/issues/9012
|
||||
RegexValidator(
|
||||
regex=r'%s' % re.escape(settings.DOMAIN),
|
||||
message=_(
|
||||
'This field can only be used to link to external websites.'
|
||||
' URLs on %(domain)s are not allowed.',
|
||||
) % {'domain': settings.DOMAIN},
|
||||
code='no_amo_url',
|
||||
inverse_match=True
|
||||
)
|
||||
]
|
||||
|
||||
|
||||
class ReCaptchaField(HumanCaptchaField):
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
from django.core import exceptions
|
||||
from django.db import connection, DataError
|
||||
from django.test.utils import override_settings
|
||||
|
||||
from olympia.access.models import Group
|
||||
from olympia.amo.fields import HttpHttpsOnlyURLField
|
||||
|
@ -8,9 +9,13 @@ from olympia.amo.tests import TestCase
|
|||
|
||||
class HttpHttpsOnlyURLFieldTestCase(TestCase):
|
||||
|
||||
domain = 'example.com'
|
||||
|
||||
def setUp(self):
|
||||
super(HttpHttpsOnlyURLFieldTestCase, self).setUp()
|
||||
self.field = HttpHttpsOnlyURLField()
|
||||
|
||||
with override_settings(DOMAIN=self.domain):
|
||||
self.field = HttpHttpsOnlyURLField()
|
||||
|
||||
def test_invalid_scheme_validation_error(self):
|
||||
with self.assertRaises(exceptions.ValidationError):
|
||||
|
@ -38,6 +43,21 @@ class HttpHttpsOnlyURLFieldTestCase(TestCase):
|
|||
with self.assertRaises(exceptions.ValidationError):
|
||||
assert self.field.clean(u'https://test.[com')
|
||||
|
||||
def test_with_domain_and_no_scheme(self):
|
||||
with self.assertRaises(exceptions.ValidationError):
|
||||
self.field.clean(u'%s' % self.domain)
|
||||
|
||||
def test_with_domain_and_http(self):
|
||||
with self.assertRaises(exceptions.ValidationError):
|
||||
self.field.clean(u'http://%s' % self.domain)
|
||||
|
||||
def test_with_domain_and_https(self):
|
||||
with self.assertRaises(exceptions.ValidationError):
|
||||
self.field.clean(u'https://%s' % self.domain)
|
||||
|
||||
def test_domain_is_escaped_in_regex_validator(self):
|
||||
assert self.field.clean(u'example-com.fr') == u'http://example-com.fr'
|
||||
|
||||
|
||||
class TestPositiveAutoField(TestCase):
|
||||
# Just using Group because it's a known user of PositiveAutoField
|
||||
|
|
Загрузка…
Ссылка в новой задаче