From 6ef8a1c18ff89b76d5b9ce227d9ecceee0ece950 Mon Sep 17 00:00:00 2001 From: dgtlmoon Date: Sun, 13 Aug 2023 18:27:55 +0200 Subject: [PATCH] Updating URL validation library, ability to block access to simple (no dot) hostnames like "localhost" with BLOCK_SIMPLEHOSTS setting (#1732) --- .github/workflows/test-only.yml | 3 ++- changedetectionio/api/api_v1.py | 7 ++++++- changedetectionio/forms.py | 6 ++++-- requirements.txt | 3 ++- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test-only.yml b/.github/workflows/test-only.yml index a7de9c7b..9acfb3f8 100644 --- a/.github/workflows/test-only.yml +++ b/.github/workflows/test-only.yml @@ -36,6 +36,8 @@ jobs: run: | # Build a changedetection.io container and start testing inside docker build . -t test-changedetectionio + # Debug info + docker run test-changedetectionio bash -c 'pip list' - name: Spin up ancillary SMTP+Echo message test server run: | @@ -44,7 +46,6 @@ jobs: - name: Test built container with pytest run: | - # Unit tests docker run test-changedetectionio bash -c 'python3 -m unittest changedetectionio.tests.unit.test_notification_diff' diff --git a/changedetectionio/api/api_v1.py b/changedetectionio/api/api_v1.py index f81b1d58..783827ca 100644 --- a/changedetectionio/api/api_v1.py +++ b/changedetectionio/api/api_v1.py @@ -1,3 +1,6 @@ +import os +from distutils.util import strtobool + from flask_expects_json import expects_json from changedetectionio import queuedWatchMetaData from flask_restful import abort, Resource @@ -209,7 +212,9 @@ class CreateWatch(Resource): json_data = request.get_json() url = json_data['url'].strip() - if not validators.url(json_data['url'].strip()): + # If hosts that only contain alphanumerics are allowed ("localhost" for example) + allow_simplehost = not strtobool(os.getenv('BLOCK_SIMPLEHOSTS', 'False')) + if not validators.url(url, simple_host=allow_simplehost): return "Invalid or unsupported URL", 400 if json_data.get('proxy'): diff --git a/changedetectionio/forms.py b/changedetectionio/forms.py index 7199b445..4725b181 100644 --- a/changedetectionio/forms.py +++ b/changedetectionio/forms.py @@ -1,5 +1,6 @@ import os import re +from distutils.util import strtobool from wtforms import ( BooleanField, @@ -257,9 +258,10 @@ class validateURL(object): def __call__(self, form, field): import validators - + # If hosts that only contain alphanumerics are allowed ("localhost" for example) + allow_simplehost = not strtobool(os.getenv('BLOCK_SIMPLEHOSTS', 'False')) try: - validators.url(field.data.strip()) + validators.url(field.data.strip(), simple_host=allow_simplehost) except validators.ValidationFailure: message = field.gettext('\'%s\' is not a valid URL.' % (field.data.strip())) raise ValidationError(message) diff --git a/requirements.txt b/requirements.txt index 9c09aca3..6fec3029 100644 --- a/requirements.txt +++ b/requirements.txt @@ -10,7 +10,8 @@ flask~=2.0 inscriptis~=2.2 pytz timeago~=1.0 -validators +validators~=0.21 + # Set these versions together to avoid a RequestsDependencyWarning # >= 2.26 also adds Brotli support if brotli is installed