mozilla
/
addons-server
зеркало из https://github.com/mozilla/addons-server.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Disable escaping when sending abuse emails (#21897) 

* Disable escaping when sending abuse emails
This commit is contained in:
Mathieu Pillard 2024-02-20 18:01:44 +01:00 коммит произвёл GitHub
Родитель 73500c8fa8
Коммит 66c2417b10
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
2 изменённых файлов: 48 добавлений и 13 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

28
src/olympia/abuse/tests/test_utils.py
Просмотреть файл

@ -86,6 +86,10 @@ class BaseTestCinderAction:
assert f'[ref:ab89/{self.abuse_report_auth.id}]' in mail.outbox[1].body
assert 'After reviewing' not in mail.outbox[0].body
assert 'After reviewing' not in mail.outbox[0].body
assert '"' not in mail.outbox[0].body
assert '"' not in mail.outbox[1].body
assert '<b>' not in mail.outbox[0].body
assert '<b>' not in mail.outbox[1].body
def _test_reporter_ignore_email(self, subject):
assert mail.outbox[0].to == ['email@domain.com']
@ -121,6 +125,10 @@ class BaseTestCinderAction:
)
assert f'[ref:ab89/{self.abuse_report_no_auth.id}]' in mail.outbox[0].body
assert f'[ref:ab89/{self.abuse_report_auth.id}]' in mail.outbox[1].body
assert '"' not in mail.outbox[0].body
assert '"' not in mail.outbox[1].body
assert '<b>' not in mail.outbox[0].body
assert '<b>' not in mail.outbox[1].body
def _test_reporter_appeal_takedown_email(self, subject):
assert mail.outbox[0].to == [self.abuse_report_auth.reporter.email]
@ -131,6 +139,8 @@ class BaseTestCinderAction:
assert 'right to appeal' not in mail.outbox[0].body
assert f'[ref:ab89/{self.abuse_report_auth.id}]' in mail.outbox[0].body
assert 'After reviewing' in mail.outbox[0].body
assert '"' not in mail.outbox[0].body
assert '<b>' not in mail.outbox[0].body
def _test_reporter_ignore_appeal_email(self, subject):
assert mail.outbox[0].to == [self.abuse_report_auth.reporter.email]
@ -141,6 +151,8 @@ class BaseTestCinderAction:
assert 'right to appeal' not in mail.outbox[0].body
assert 'was correct' in mail.outbox[0].body
assert f'[ref:ab89/{self.abuse_report_auth.id}]' in mail.outbox[0].body
assert '"' not in mail.outbox[0].body
assert '<b>' not in mail.outbox[0].body
def _check_owner_email(self, mail_item, subject, snippet):
user = getattr(self, 'user', getattr(self, 'author', None))
@ -148,6 +160,8 @@ class BaseTestCinderAction:
assert mail_item.subject == subject + ' [ref:ab89]'
assert snippet in mail_item.body
assert '[ref:ab89]' in mail_item.body
assert '"' not in mail_item.body
assert '<b>' not in mail_item.body
def _test_owner_takedown_email(self, subject, snippet):
mail_item = mail.outbox[-1]
@ -166,6 +180,8 @@ class BaseTestCinderAction:
'\n - Parent Policy, specifically Bad policy: This is bad thing\n'
in mail_item.body
)
assert '"' not in mail_item.body
assert '<b>' not in mail_item.body
def _test_owner_affirmation_email(self, subject):
mail_item = mail.outbox[0]
@ -222,7 +238,7 @@ class TestCinderActionUser(BaseTestCinderAction, TestCase):
def setUp(self):
super().setUp()
self.user = user_factory()
self.user = user_factory(display_name='<b>Bad Hørse</b>')
self.cinder_job.abusereport_set.update(user=self.user, guid=None)
def _test_ban_user(self):
@ -313,7 +329,7 @@ class TestCinderActionAddon(BaseTestCinderAction, TestCase):
def setUp(self):
super().setUp()
self.author = user_factory()
self.addon = addon_factory(users=(self.author,))
self.addon = addon_factory(users=(self.author,), name='<b>Bad Addön</b>')
ActivityLog.objects.all().delete()
self.cinder_job.abusereport_set.update(guid=self.addon.guid)
@ -537,7 +553,11 @@ class TestCinderActionCollection(BaseTestCinderAction, TestCase):
def setUp(self):
super().setUp()
self.author = user_factory()
self.collection = collection_factory(author=self.author)
self.collection = collection_factory(
author=self.author,
name='<b>Bad Collectiôn</b>',
slug='bad-collection',
)
self.cinder_job.abusereport_set.update(collection=self.collection, guid=None)
def _test_delete_collection(self):
@ -632,7 +652,7 @@ class TestCinderActionRating(BaseTestCinderAction, TestCase):
super().setUp()
self.author = user_factory()
self.rating = Rating.objects.create(
addon=addon_factory(), user=self.author, body='Saying something bad'
addon=addon_factory(), user=self.author, body='Saying something <b>bad</b>'
)
self.cinder_job.abusereport_set.update(rating=self.rating, guid=None)
ActivityLog.objects.all().delete()

31
src/olympia/abuse/utils.py
Просмотреть файл

@ -4,18 +4,24 @@ from django.conf import settings
from django.template import loader
from django.urls import reverse
from django.utils import translation
from django.utils.safestring import mark_safe
from django.utils.translation import gettext_lazy as _
from olympia import amo
from olympia.activity import log_create
from olympia.addons.models import Addon
from olympia.amo.templatetags.jinja_helpers import absolutify
from olympia.amo.utils import send_mail
from olympia.amo.utils import no_jinja_autoescape, send_mail
from olympia.bandwagon.models import Collection
from olympia.ratings.models import Rating
from olympia.users.models import UserProfile
POLICY_DOCUMENT_URL = (
'https://extensionworkshop.com/documentation/publish/add-on-policies/'
)
class CinderAction:
description = 'Action has been taken'
valid_targets = []
@ -70,13 +76,18 @@ class CinderAction:
owners = self.get_owners()
if not owners:
return
name = self.get_target_name()
with no_jinja_autoescape():
template = loader.get_template(self.owner_template_path)
target_name = self.get_target_name()
reference_id = f'ref:{self.cinder_job.decision_id}'
context_dict = {
'additional_reasoning': self.cinder_job.decision_notes or '',
'is_third_party_initiated': self.is_third_party_initiated,
'name': name,
'policy_document_url': 'https://extensionworkshop.com/documentation/publish/add-on-policies/',
# Auto-escaping is already disabled above as we're dealing with an
# email but the target name could have triggered lazy escaping when
# it was generated so it needs special treatment to avoid it.
'name': mark_safe(target_name),
'policy_document_url': POLICY_DOCUMENT_URL,
'reference_id': reference_id,
'target': self.target,
'target_url': absolutify(self.target.get_url_path()),
@ -100,8 +111,7 @@ class CinderAction:
)
)
subject = f'Mozilla Add-ons: {name} [{reference_id}]'
template = loader.get_template(self.owner_template_path)
subject = f'Mozilla Add-ons: {target_name} [{reference_id}]'
self.send_mail(
subject,
template.render(context_dict),
@ -119,6 +129,7 @@ class CinderAction:
)
if not template:
return
with no_jinja_autoescape():
template = loader.get_template(template)
reporters = (
self.cinder_job.appellants.all()
@ -142,8 +153,12 @@ class CinderAction:
target_name, reference_id
)
context_dict = {
'name': target_name,
'policy_document_url': 'https://extensionworkshop.com/documentation/publish/add-on-policies/',
# Auto-escaping is already disabled above as we're dealing
# with an email but the target name could have triggered
# lazy escaping when it was generated so it needs special
# treatment to avoid it.
'name': mark_safe(target_name),
'policy_document_url': POLICY_DOCUMENT_URL,
'reference_id': reference_id,
'target_url': absolutify(self.target.get_url_path()),
'type': self.get_target_type(),