From 3b72e16d9ffaa6a54c2eef50da1cfc2c5d71acd9 Mon Sep 17 00:00:00 2001 From: Matthias Dellweg Date: Fri, 2 Aug 2024 17:18:25 +0200 Subject: [PATCH] Fix urlize for pulp api hrefs Instead of carrying a copy of the whole api template, we just overwrite the branding related blocks. Also we monkeypatch django's urlize to know about pulp api hrefs. fixes #5664 --- CHANGES/5664.bugfix | 1 + .../app/templates/rest_framework/api.html | 314 +----------------- pulpcore/app/templatetags/pulp_urls.py | 89 +---- pulpcore/tests/unit/test_pulp_urls.py | 108 ++++-- 4 files changed, 102 insertions(+), 410 deletions(-) create mode 100644 CHANGES/5664.bugfix diff --git a/CHANGES/5664.bugfix b/CHANGES/5664.bugfix new file mode 100644 index 0000000000..50fcb275de --- /dev/null +++ b/CHANGES/5664.bugfix @@ -0,0 +1 @@ +Fixed urlizing of api hrefs in clickable api. diff --git a/pulpcore/app/templates/rest_framework/api.html b/pulpcore/app/templates/rest_framework/api.html index ee09ad2a80..9323658af3 100644 --- a/pulpcore/app/templates/rest_framework/api.html +++ b/pulpcore/app/templates/rest_framework/api.html @@ -1,309 +1,9 @@ -{% load static %} -{% load i18n %} -{% load rest_framework %} -{% load pulp_urls %} +{% extends "rest_framework/base.html" %} - - - - {% block head %} +{% block "title" %} +{% if name %}{{ name }} – {% endif %}Pulp 3 +{% endblock %} - {% block meta %} - - - {% endblock %} - - {% block title %}{% if name %}{{ name }} – {% endif %}Pulp 3{% endblock %} - - {% block style %} - {% block bootstrap_theme %} - - - {% endblock %} - - - - {% if code_style %}{% endif %} - {% endblock %} - - {% endblock %} - - - {% block body %} - - -
- {% block navbar %} - - {% endblock %} - -
- {% block breadcrumbs %} - - {% endblock %} - - -
- {% block content %} - -
- {% if 'GET' in allowed_methods %} -
-
- {% if api_settings.URL_FORMAT_OVERRIDE %} -
- GET - - - -
- {% else %} - GET - {% endif %} -
-
- {% endif %} - - {% if options_form %} -
- -
- {% endif %} - - {% if delete_form %} - - - - - {% endif %} - - {% if extra_actions %} - - {% endif %} - - {% if filter_form %} - - {% endif %} -
- -
- -
- {% block description %} - {{ description }} - {% endblock %} -
- - {% if paginator %} - - {% endif %} - -
-
{{ request.method }} {{ request.get_full_path }}
-
- -
-
HTTP {{ response.status_code }} {{ response.status_text }}{% autoescape off %}{% for key, val in response_headers|items %}
-{{ key }}: {{ val|break_long_headers|urlize|urlize_quoted_hrefs }}{% endfor %}
-
-{{ content|urlize|urlize_quoted_hrefs }}
{% endautoescape %} -
-
- - {% if display_edit_forms %} - {% if post_form or raw_data_post_form %} -
- {% if post_form %} - - {% endif %} - -
- {% if post_form %} -
- {% with form=post_form %} -
-
- {% csrf_token %} - {{ post_form }} -
- -
-
-
- {% endwith %} -
- {% endif %} - -
- {% with form=raw_data_post_form %} -
-
- {% include "rest_framework/raw_data_form.html" %} -
- -
-
-
- {% endwith %} -
-
-
- {% endif %} - - {% if put_form or raw_data_put_form or raw_data_patch_form %} -
- {% if put_form %} - - {% endif %} - -
- {% if put_form %} -
-
-
- {{ put_form }} -
- -
-
-
-
- {% endif %} - -
- {% with form=raw_data_put_or_patch_form %} -
-
- {% include "rest_framework/raw_data_form.html" %} -
- {% if raw_data_put_form %} - - {% endif %} - {% if raw_data_patch_form %} - - {% endif %} -
-
-
- {% endwith %} -
-
-
- {% endif %} - {% endif %} - {% endblock content %} -
-
-
- - {% if filter_form %} - {{ filter_form }} - {% endif %} - - {% block script %} - - - - - - - - - {% endblock %} - - - {% endblock %} - +{% block branding %} + Pulp 3 +{% endblock %} diff --git a/pulpcore/app/templatetags/pulp_urls.py b/pulpcore/app/templatetags/pulp_urls.py index a94e968bae..ed4a727933 100644 --- a/pulpcore/app/templatetags/pulp_urls.py +++ b/pulpcore/app/templatetags/pulp_urls.py @@ -1,84 +1,23 @@ -import re - -from django import template +from django.template.defaultfilters import stringfilter, urlize as orig_urlize, register from django.conf import settings -from django.utils.encoding import force_str -from django.utils.html import escape, smart_urlquote from django.utils.safestring import SafeData, mark_safe -register = template.Library() - - -TRAILING_PUNCTUATION = [".", ",", ":", ".)", '"', "'", """, ";"] -WRAPPING_PUNCTUATION = [ - ("(", ")"), - ("<", ">"), - ("[", "]"), - ("<", ">"), - ('"', '"'), - ("'", "'"), - (""", """), -] -word_split_re = re.compile(r"(\s+)") -api_root_prefix = r"^" + settings.V3_API_ROOT.replace("/", r"\/") -href_re = re.compile(api_root_prefix, re.IGNORECASE) - @register.filter(needs_autoescape=True) -def urlize_quoted_hrefs(text, trim_url_limit=None, nofollow=True, autoescape=True): +@stringfilter +def urlize(text, autoescape=True): """ - Converts href in text into clickable links. If trim_url_limit is not None, the URLs in link - text longer than this limit will truncated to trim_url_limit-3 characters and appended with - an ellipsis. If nofollow is True, the URLs in link text will get a rel="nofollow" attribute. + Converts hrefs and urls in the input in to clickable links. + This filter overwrites the django default implementation to also handle pulp api hrefs. """ - - def trim_url(x, limit=trim_url_limit): - return limit is not None and (len(x) > limit and ("%s..." % x[: max(0, limit - 3)])) or x - safe_input = isinstance(text, SafeData) - words = word_split_re.split(force_str(text)) - for i, word in enumerate(words): - if settings.V3_API_ROOT in word: - # Deal with punctuation. - lead, middle, trail = "", word, "" - for punctuation in TRAILING_PUNCTUATION: - if middle.endswith(punctuation): - middle = middle[: -len(punctuation)] - trail = punctuation + trail - for opening, closing in WRAPPING_PUNCTUATION: - if middle.startswith(opening): - middle = middle[len(opening) :] - lead = lead + opening - # Keep parentheses at the end only if they're balanced. - if middle.endswith(closing) and middle.count(closing) == middle.count(opening) + 1: - middle = middle[: -len(closing)] - trail = closing + trail - - # Make URL we want to point to. - url = None - nofollow_attr = ' rel="nofollow"' if nofollow else "" - - if href_re.match(middle): - url = smart_urlquote(middle) - - # Check if it's a real URL - if url and ("{" in url or "%7B" in url): - url = None - - # Make link. - if url: - trimmed = trim_url(middle) - if autoescape and not safe_input: - lead, trail = escape(lead), escape(trail) - url, trimmed = escape(url), escape(trimmed) - middle = '%s' % (url, nofollow_attr, trimmed) - words[i] = mark_safe("%s%s%s" % (lead, middle, trail)) - else: - if safe_input: - words[i] = mark_safe(word) - elif autoescape: - words[i] = escape(word) - else: - words[i] = escape(word) - return "".join(words) + text = text.replace(settings.V3_API_ROOT, "http://SENTINEL.org" + settings.V3_API_ROOT) + if safe_input: + text = mark_safe(text) + text = orig_urlize(text, autoescape=autoescape) + safe_input = isinstance(text, SafeData) + text = text.replace("http://SENTINEL.org" + settings.V3_API_ROOT, settings.V3_API_ROOT) + if safe_input: + text = mark_safe(text) + return text diff --git a/pulpcore/tests/unit/test_pulp_urls.py b/pulpcore/tests/unit/test_pulp_urls.py index cfaa9bd232..29e21aea2e 100644 --- a/pulpcore/tests/unit/test_pulp_urls.py +++ b/pulpcore/tests/unit/test_pulp_urls.py @@ -1,58 +1,110 @@ import pytest -from django.conf import settings +import json from pulpcore.app.templatetags import pulp_urls -pytestmark = pytest.mark.usefixtures("fake_domain") +@pytest.fixture(autouse=True) +def api_root(settings): + settings.DOMAIN_ENABLED = True + # TODO: dynaconf lazy settings... + # settings.API_ROOT = "/baz/" + settings.V3_API_ROOT = "/baz/api/v3/" -def test_urlize_quoted_hrefs_basic_url(): + +def test_urlize_basic_url(): """ - text starts with API_ROOT, defaults. Should be made clickable + Text starts with V3_API_ROOT. Should be made clickable. """ - txt = settings.V3_API_ROOT + "foo/bar/" - ret = pulp_urls.urlize_quoted_hrefs(txt) + txt = "/baz/api/v3/foo/bar/" + ret = pulp_urls.urlize(txt) assert ret == f'{txt}' -def test_urlize_quoted_hrefs_nofollow(): +def test_urlize_quoted_href(): """ - text starts with API_ROOT, defaults. Should be made clickable + Text contains V3_API_ROOT in quotes. Should be made clickable. """ - txt = settings.V3_API_ROOT + "foo/bar/" - ret = pulp_urls.urlize_quoted_hrefs(txt, nofollow=False) - assert ret == f'{txt}' + txt = json.dumps({"pulp_href": "/baz/api/v3/foo/bar/"}) + ret = pulp_urls.urlize(txt) + assert ret == ( + '{"pulp_href": "/baz/api/v3/foo/bar/"}' + ) -def test_urlize_quoted_hrefs_trim(): +def test_urlize_mixed_bag(): """ - text starts with API_ROOT, defaults. Should be made clickable + Text contains lots of stuff in json. """ - txt = settings.V3_API_ROOT + "foo/bar/" - trim_txt = txt[0] + "..." - ret = pulp_urls.urlize_quoted_hrefs(txt, trim_url_limit=4) - assert ret == f'{trim_txt}' + txt = json.dumps( + { + "pulp_href": "/baz/api/v3/foo/bar/", + "related": "/baz/api/v3/other/", + "description": "Test XSS .", + } + ) + ret = pulp_urls.urlize(txt) + assert ret == ( + '{"pulp_href": "/baz/api/v3/foo/bar/", ' + '"related": "/baz/api/v3/other/", ' + ""description": " + ""Test XSS <script>alert('ALERT')</script>."}" + ) -def test_urlize_quoted_hrefs_basic_url_xss(): +def test_urlize_quoted_href_no_autoescape(): """ - text starts with API_ROOT, includes XSS, defaults. Should be made clickable, escape XSS + Text contains V3_API_ROOT in quotes. Should be made clickable. """ - txt = settings.V3_API_ROOT + "foo/bar/blech/" + txt = json.dumps({"pulp_href": "/baz/api/v3/foo/bar/"}) + ret = pulp_urls.urlize(txt, autoescape=False) + assert ret == ( + '{"pulp_href": "/baz/api/v3/foo/bar/"}' + ) + + +def test_urlize_url_xss_autoescape(): + """ + Text starts with API_ROOT, includes XSS. Should be made clickable, escape XSS. + """ + txt = "/baz/api/v3/foo/bar/blech/" escapified_linked_text = ( - '' + settings.V3_API_ROOT + "foo/bar/<script>" - "alert('ALERT!')</script>blech/" + '/baz/api/v3/foo/bar/' + "<script>alert('ALERT!')</script>blech/" ) - ret = pulp_urls.urlize_quoted_hrefs(txt) + ret = pulp_urls.urlize(txt) assert ret == escapified_linked_text -def test_urlize_quoted_hrefs_basic_escape(): +def test_urlize_url_xss_no_autoescape(): """ - text contains XSS. Expect escaped + Text starts with API_ROOT, includes XSS. Should be made clickable, not escape XSS. + """ + txt = "/baz/api/v3/foo/bar/blech/" + escapified_linked_text = ( + '/baz/api/v3/foo/bar/' + "blech/" + ) + ret = pulp_urls.urlize(txt, autoescape=False) + assert ret == escapified_linked_text + + +def test_urlize_autoescape(): + """ + Text contains XSS. Expect escaped. """ txt = "foo/bar/blech/" - ret = pulp_urls.urlize_quoted_hrefs(txt) + ret = pulp_urls.urlize(txt) assert ret == "foo/bar/<script>alert('ALERT!')</script>blech/" + + +def test_urlize_no_autoescape(): + """ + Text contains XSS. Expect not escaped. + """ + txt = "foo/bar/blech/" + ret = pulp_urls.urlize(txt, autoescape=False) + assert ret == txt