external-repos/ivatar
1
0
Fork 0
mirror of https://git.linux-kernel.at/oliver/ivatar.git synced 2025-11-12 19:26:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'adapt-old-config' into 'devel'

Browse Source 
fix: resolve backward compability in config

See merge request oliver/ivatar!209
This commit is contained in:
Oliver Falk
2022-09-15 17:03:07 +00:00
parent ce18bb58bd cf65ea2c6a
commit 899e8db661
4 changed files with 55 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
config.py
View File

@@ -255,3 +255,18 @@ TRUSTED_DEFAULT_URLS = [
# This MUST BE THE LAST! # This MUST BE THE LAST!
if os.path.isfile(os.path.join(BASE_DIR, "config_local.py")): if os.path.isfile(os.path.join(BASE_DIR, "config_local.py")):
from config_local import * # noqa # flake8: noqa # NOQA # pragma: no cover from config_local import * # noqa # flake8: noqa # NOQA # pragma: no cover
def map_legacy_config(trusted_url):
"""
For backward compability with the legacy configuration
for trusting URLs. Adapts them to fit the new config.
"""
if isinstance(trusted_url, str):
return {
"url_prefix": trusted_url
}
return trusted_url
# Backward compability for legacy behavior
TRUSTED_DEFAULT_URLS = list(map(map_legacy_config, TRUSTED_DEFAULT_URLS))

31
ivatar/test_utils.py
View File

@@ -47,7 +47,7 @@ class Tester(TestCase):
self.assertEqual(openid_variations(openid3)[3], openid3) self.assertEqual(openid_variations(openid3)[3], openid3)
def test_is_trusted_url(self): def test_is_trusted_url(self):
test1 = is_trusted_url("https://gravatar.com/avatar/63a75a80e6b1f4adfdb04c1ca02e596c", [ test_gravatar_true = is_trusted_url("https://gravatar.com/avatar/63a75a80e6b1f4adfdb04c1ca02e596c", [
{ {
"schemes": [ "schemes": [
"http", "http",
@@ -57,9 +57,9 @@ class Tester(TestCase):
"path_prefix": "/avatar/" "path_prefix": "/avatar/"
} }
]) ])
self.assertTrue(test1) self.assertTrue(test_gravatar_true)
test2 = is_trusted_url("https://gravatar.com.example.org/avatar/63a75a80e6b1f4adfdb04c1ca02e596c", [ test_gravatar_false = is_trusted_url("https://gravatar.com.example.org/avatar/63a75a80e6b1f4adfdb04c1ca02e596c", [
{ {
"schemes": [ "schemes": [
"http", "http",
@@ -69,10 +69,9 @@ class Tester(TestCase):
"path_prefix": "/avatar/" "path_prefix": "/avatar/"
} }
]) ])
self.assertFalse(test2) self.assertFalse(test_gravatar_false)
# Test against open redirect with valid URL in query params test_open_redirect = is_trusted_url("https://github.com/SethFalco/?boop=https://secure.gravatar.com/avatar/205e460b479e2e5b48aec07710c08d50", [
test3 = is_trusted_url("https://github.com/SethFalco/?boop=https://secure.gravatar.com/avatar/205e460b479e2e5b48aec07710c08d50", [
{ {
"schemes": [ "schemes": [
"http", "http",
@@ -82,9 +81,9 @@ class Tester(TestCase):
"path_prefix": "/avatar/" "path_prefix": "/avatar/"
} }
]) ])
self.assertFalse(test3) self.assertFalse(test_open_redirect)
test4 = is_trusted_url("https://ui-avatars.com/api/blah", [ test_multiple_filters = is_trusted_url("https://ui-avatars.com/api/blah", [
{ {
"schemes": [ "schemes": [
"https" "https"
@@ -101,4 +100,18 @@ class Tester(TestCase):
"path_prefix": "/avatar/" "path_prefix": "/avatar/"
} }
]) ])
self.assertTrue(test4) self.assertTrue(test_multiple_filters)
test_url_prefix_true = is_trusted_url("https://ui-avatars.com/api/blah", [
{
"url_prefix": "https://ui-avatars.com/api/"
}
])
self.assertTrue(test_url_prefix_true)
test_url_prefix_false = is_trusted_url("https://ui-avatars.com/api/blah", [
{
"url_prefix": "https://gravatar.com/avatar/"
}
])
self.assertFalse(test_url_prefix_false)

6
ivatar/utils.py
View File

@@ -149,6 +149,12 @@ def is_trusted_url(url, url_filters):
if not path.startswith(path_prefix): if not path.startswith(path_prefix):
continue continue
if "url_prefix" in filter:
url_prefix = filter["url_prefix"]
if not url.startswith(url_prefix):
continue
return True return True
return False return False

9
ivatar/views.py
View File

@@ -141,10 +141,11 @@ class AvatarImageView(TemplateView):
if "default" in request.GET: if "default" in request.GET:
default = request.GET["default"] default = request.GET["default"]
# Check if default starts with an URL scheme and if it does, if default is not None:
# check if it's trusted if TRUSTED_DEFAULT_URLS is None:
# Check for :// (schema) print("Query parameter `default` is disabled.")
if default is not None and default.find("://") > 0: default = None
elif default.find("://") > 0:
# Check if it's trusted, if not, reset to None # Check if it's trusted, if not, reset to None
trusted_url = is_trusted_url(default, TRUSTED_DEFAULT_URLS) trusted_url = is_trusted_url(default, TRUSTED_DEFAULT_URLS)