Updating URL validation library, ability to block access to simple (no dot) hostnames like "localhost" with BLOCK_SIMPLEHOSTS setting (#1732)

1725-linux-arm-v8^2
dgtlmoon 1 year ago committed by GitHub
parent 126f0fbf87
commit 6ef8a1c18f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -36,6 +36,8 @@ jobs:
run: | run: |
# Build a changedetection.io container and start testing inside # Build a changedetection.io container and start testing inside
docker build . -t test-changedetectionio docker build . -t test-changedetectionio
# Debug info
docker run test-changedetectionio bash -c 'pip list'
- name: Spin up ancillary SMTP+Echo message test server - name: Spin up ancillary SMTP+Echo message test server
run: | run: |
@ -44,7 +46,6 @@ jobs:
- name: Test built container with pytest - name: Test built container with pytest
run: | run: |
# Unit tests # Unit tests
docker run test-changedetectionio bash -c 'python3 -m unittest changedetectionio.tests.unit.test_notification_diff' docker run test-changedetectionio bash -c 'python3 -m unittest changedetectionio.tests.unit.test_notification_diff'

@ -1,3 +1,6 @@
import os
from distutils.util import strtobool
from flask_expects_json import expects_json from flask_expects_json import expects_json
from changedetectionio import queuedWatchMetaData from changedetectionio import queuedWatchMetaData
from flask_restful import abort, Resource from flask_restful import abort, Resource
@ -209,7 +212,9 @@ class CreateWatch(Resource):
json_data = request.get_json() json_data = request.get_json()
url = json_data['url'].strip() url = json_data['url'].strip()
if not validators.url(json_data['url'].strip()): # If hosts that only contain alphanumerics are allowed ("localhost" for example)
allow_simplehost = not strtobool(os.getenv('BLOCK_SIMPLEHOSTS', 'False'))
if not validators.url(url, simple_host=allow_simplehost):
return "Invalid or unsupported URL", 400 return "Invalid or unsupported URL", 400
if json_data.get('proxy'): if json_data.get('proxy'):

@ -1,5 +1,6 @@
import os import os
import re import re
from distutils.util import strtobool
from wtforms import ( from wtforms import (
BooleanField, BooleanField,
@ -257,9 +258,10 @@ class validateURL(object):
def __call__(self, form, field): def __call__(self, form, field):
import validators import validators
# If hosts that only contain alphanumerics are allowed ("localhost" for example)
allow_simplehost = not strtobool(os.getenv('BLOCK_SIMPLEHOSTS', 'False'))
try: try:
validators.url(field.data.strip()) validators.url(field.data.strip(), simple_host=allow_simplehost)
except validators.ValidationFailure: except validators.ValidationFailure:
message = field.gettext('\'%s\' is not a valid URL.' % (field.data.strip())) message = field.gettext('\'%s\' is not a valid URL.' % (field.data.strip()))
raise ValidationError(message) raise ValidationError(message)

@ -10,7 +10,8 @@ flask~=2.0
inscriptis~=2.2 inscriptis~=2.2
pytz pytz
timeago~=1.0 timeago~=1.0
validators validators~=0.21
# Set these versions together to avoid a RequestsDependencyWarning # Set these versions together to avoid a RequestsDependencyWarning
# >= 2.26 also adds Brotli support if brotli is installed # >= 2.26 also adds Brotli support if brotli is installed

Loading…
Cancel
Save