Add a validator to reject AMO URLs (#9722)

This commit is contained in:
William Durand 2018-10-18 12:57:31 +02:00 коммит произвёл GitHub
Родитель 9988dd7268
Коммит 256e8a1714
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
2 изменённых файлов: 41 добавлений и 3 удалений

Просмотреть файл

@ -1,7 +1,8 @@
import re
from django.conf import settings
from django.core import exceptions
from django.core.validators import URLValidator
from django.core.validators import RegexValidator, URLValidator
from django.db import models
from django.forms import fields
from django.utils.translation import ugettext, ugettext_lazy as _
@ -38,7 +39,24 @@ class URLValidatorBackport(URLValidator):
class HttpHttpsOnlyURLField(fields.URLField):
default_validators = [URLValidatorBackport(schemes=('http', 'https'))]
def __init__(self, *args, **kwargs):
super(HttpHttpsOnlyURLField, self).__init__(*args, **kwargs)
self.validators = [
URLValidatorBackport(schemes=('http', 'https')),
# Reject AMO URLs, see:
# https://github.com/mozilla/addons-server/issues/9012
RegexValidator(
regex=r'%s' % re.escape(settings.DOMAIN),
message=_(
'This field can only be used to link to external websites.'
' URLs on %(domain)s are not allowed.',
) % {'domain': settings.DOMAIN},
code='no_amo_url',
inverse_match=True
)
]
class ReCaptchaField(HumanCaptchaField):

Просмотреть файл

@ -1,5 +1,6 @@
from django.core import exceptions
from django.db import connection, DataError
from django.test.utils import override_settings
from olympia.access.models import Group
from olympia.amo.fields import HttpHttpsOnlyURLField
@ -8,9 +9,13 @@ from olympia.amo.tests import TestCase
class HttpHttpsOnlyURLFieldTestCase(TestCase):
domain = 'example.com'
def setUp(self):
super(HttpHttpsOnlyURLFieldTestCase, self).setUp()
self.field = HttpHttpsOnlyURLField()
with override_settings(DOMAIN=self.domain):
self.field = HttpHttpsOnlyURLField()
def test_invalid_scheme_validation_error(self):
with self.assertRaises(exceptions.ValidationError):
@ -38,6 +43,21 @@ class HttpHttpsOnlyURLFieldTestCase(TestCase):
with self.assertRaises(exceptions.ValidationError):
assert self.field.clean(u'https://test.[com')
def test_with_domain_and_no_scheme(self):
with self.assertRaises(exceptions.ValidationError):
self.field.clean(u'%s' % self.domain)
def test_with_domain_and_http(self):
with self.assertRaises(exceptions.ValidationError):
self.field.clean(u'http://%s' % self.domain)
def test_with_domain_and_https(self):
with self.assertRaises(exceptions.ValidationError):
self.field.clean(u'https://%s' % self.domain)
def test_domain_is_escaped_in_regex_validator(self):
assert self.field.clean(u'example-com.fr') == u'http://example-com.fr'
class TestPositiveAutoField(TestCase):
# Just using Group because it's a known user of PositiveAutoField