indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Snake case

merge-requests/30/head
Bob Mottram 2021-12-27 21:42:08 +00:00
parent 0efd2c1b78
commit 88922a9b4f
9 changed files with 65 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content.py
View File

@ -19,7 +19,7 @@ from utils import load_json
from utils import save_json
from utils import fileLastModified
from utils import get_link_prefixes
from utils import dangerousMarkup
from utils import dangerous_markup
from utils import is_pgp_encrypted
from utils import contains_pgp_public_key
from utils import acct_dir
@ -209,7 +209,7 @@ def dangerousCSS(filename: str, allow_local_network_access: bool) -> bool:
# an attacker can include html inside of the css
# file as a comment and this may then be run from the html
if dangerousMarkup(content, allow_local_network_access):
if dangerous_markup(content, allow_local_network_access):
return True
return False

10
daemon.py
View File

@ -300,7 +300,7 @@ from utils import url_permitted
from utils import load_json
from utils import save_json
from utils import is_suspended
from utils import dangerousMarkup
from utils import dangerous_markup
from utils import refresh_newswire
from utils import is_image_file
from utils import has_group_type
@ -4158,8 +4158,8 @@ class PubServer(BaseHTTPRequestHandler):
if nickname == adminNickname:
if fields.get('editedAbout'):
aboutStr = fields['editedAbout']
if not dangerousMarkup(aboutStr,
allow_local_network_access):
if not dangerous_markup(aboutStr,
allow_local_network_access):
try:
with open(aboutFilename, 'w+') as aboutFile:
aboutFile.write(aboutStr)
@ -4175,8 +4175,8 @@ class PubServer(BaseHTTPRequestHandler):
if fields.get('editedTOS'):
TOSStr = fields['editedTOS']
if not dangerousMarkup(TOSStr,
allow_local_network_access):
if not dangerous_markup(TOSStr,
allow_local_network_access):
try:
with open(TOSFilename, 'w+') as TOSFile:
TOSFile.write(TOSStr)

4
inbox.py
View File

@ -88,7 +88,7 @@ from blocking import broch_modeLapses
from filters import isFiltered
from utils import update_announce_collection
from utils import undo_announce_collection_entry
from utils import dangerousMarkup
from utils import dangerous_markup
from utils import is_dm
from utils import is_reply
from utils import has_actor
@ -2241,7 +2241,7 @@ def _validPostContent(base_dir: str, nickname: str, domain: str,
return True
contentStr = get_base_content_from_post(message_json, system_language)
if dangerousMarkup(contentStr, allow_local_network_access):
if dangerous_markup(contentStr, allow_local_network_access):
if message_json['object'].get('id'):
print('REJECT ARBITRARY HTML: ' + message_json['object']['id'])
print('REJECT ARBITRARY HTML: bad string in post - ' +

6
newsdaemon.py
View File

@ -32,7 +32,7 @@ from utils import load_json
from utils import save_json
from utils import get_status_number
from utils import clearFromPostCaches
from utils import dangerousMarkup
from utils import dangerous_markup
from utils import local_actor_url
from inbox import storeHashTags
from session import createSession
@ -599,8 +599,8 @@ def _convertRSStoActivityPub(base_dir: str, http_prefix: str,
rssTitle = _removeControlCharacters(item[0])
url = item[1]
if dangerousMarkup(url, allow_local_network_access) or \
dangerousMarkup(rssTitle, allow_local_network_access):
if dangerous_markup(url, allow_local_network_access) or \
dangerous_markup(rssTitle, allow_local_network_access):
continue
rssDescription = ''

4
outbox.py
View File

@ -23,7 +23,7 @@ from utils import get_local_network_addresses
from utils import get_full_domain
from utils import remove_id_ending
from utils import get_domain_from_actor
from utils import dangerousMarkup
from utils import dangerous_markup
from utils import is_featured_writer
from utils import load_json
from utils import save_json
@ -225,7 +225,7 @@ def postMessageToOutbox(session, translate: {},
if has_object_dict(message_json):
contentStr = get_base_content_from_post(message_json, system_language)
if contentStr:
if dangerousMarkup(contentStr, allow_local_network_access):
if dangerous_markup(contentStr, allow_local_network_access):
print('POST to outbox contains dangerous markup: ' +
str(message_json))
return False

6
posts.py
View File

@ -66,7 +66,7 @@ from utils import locateNewsVotes
from utils import locateNewsArrival
from utils import votesOnNewswireItem
from utils import remove_html
from utils import dangerousMarkup
from utils import dangerous_markup
from utils import acct_dir
from utils import local_actor_url
from media import attachMedia
@ -414,7 +414,7 @@ def getPersonBox(signing_priv_key_pem: str, originDomain: str,
displayName = None
if personJson.get('name'):
displayName = personJson['name']
if dangerousMarkup(personJson['name'], False):
if dangerous_markup(personJson['name'], False):
displayName = '*ADVERSARY*'
elif isFiltered(base_dir,
nickname, domain,
@ -4674,7 +4674,7 @@ def downloadAnnounce(session, base_dir: str, http_prefix: str,
return None
# Check the content of the announce
contentStr = announcedJson['content']
if dangerousMarkup(contentStr, allow_local_network_access):
if dangerous_markup(contentStr, allow_local_network_access):
_rejectAnnounce(announceFilename,
base_dir, nickname, domain, post_id,
recent_posts_cache)

30
tests.py
View File

@ -83,7 +83,7 @@ from utils import save_json
from utils import get_status_number
from utils import get_followers_of_person
from utils import remove_html
from utils import dangerousMarkup
from utils import dangerous_markup
from utils import acct_dir
from pgp import extractPGPPublicKey
from pgp import pgpPublicKeyUpload
@ -3714,62 +3714,62 @@ def _testDangerousMarkup():
print('testDangerousMarkup')
allow_local_network_access = False
content = '<p>This is a valid message</p>'
assert(not dangerousMarkup(content, allow_local_network_access))
assert(not dangerous_markup(content, allow_local_network_access))
content = 'This is a valid message without markup'
assert(not dangerousMarkup(content, allow_local_network_access))
assert(not dangerous_markup(content, allow_local_network_access))
content = '<p>This is a valid-looking message. But wait... ' + \
'<script>document.getElementById("concentrated")' + \
'.innerHTML = "evil";</script></p>'
assert(dangerousMarkup(content, allow_local_network_access))
assert(dangerous_markup(content, allow_local_network_access))
content = '<p>This is a valid-looking message. But wait... ' + \
'&lt;script&gt;document.getElementById("concentrated")' + \
'.innerHTML = "evil";&lt;/script&gt;</p>'
assert(dangerousMarkup(content, allow_local_network_access))
assert(dangerous_markup(content, allow_local_network_access))
content = '<p>This html contains more than you expected... ' + \
'<script language="javascript">document.getElementById("abc")' + \
'.innerHTML = "def";</script></p>'
assert(dangerousMarkup(content, allow_local_network_access))
assert(dangerous_markup(content, allow_local_network_access))
content = '<p>This is a valid-looking message. But wait... ' + \
'<script src="https://evilsite/payload.js" /></p>'
assert(dangerousMarkup(content, allow_local_network_access))
assert(dangerous_markup(content, allow_local_network_access))
content = '<p>This message embeds an evil frame.' + \
'<iframe src="somesite"></iframe></p>'
assert(dangerousMarkup(content, allow_local_network_access))
assert(dangerous_markup(content, allow_local_network_access))
content = '<p>This message tries to obfuscate an evil frame.' + \
'< iframe src = "somesite"></ iframe ></p>'
assert(dangerousMarkup(content, allow_local_network_access))
assert(dangerous_markup(content, allow_local_network_access))
content = '<p>This message is not necessarily evil, but annoying.' + \
'<hr><br><br><br><br><br><br><br><hr><hr></p>'
assert(dangerousMarkup(content, allow_local_network_access))
assert(dangerous_markup(content, allow_local_network_access))
content = '<p>This message contans a ' + \
'<a href="https://validsite/index.html">valid link.</a></p>'
assert(not dangerousMarkup(content, allow_local_network_access))
assert(not dangerous_markup(content, allow_local_network_access))
content = '<p>This message contans a ' + \
'<a href="https://validsite/iframe.html">' + \
'valid link having invalid but harmless name.</a></p>'
assert(not dangerousMarkup(content, allow_local_network_access))
assert(not dangerous_markup(content, allow_local_network_access))
content = '<p>This message which <a href="127.0.0.1:8736">' + \
'tries to access the local network</a></p>'
assert(dangerousMarkup(content, allow_local_network_access))
assert(dangerous_markup(content, allow_local_network_access))
content = '<p>This message which <a href="http://192.168.5.10:7235">' + \
'tries to access the local network</a></p>'
assert(dangerousMarkup(content, allow_local_network_access))
assert(dangerous_markup(content, allow_local_network_access))
content = '<p>127.0.0.1 This message which does not access ' + \
'the local network</a></p>'
assert(not dangerousMarkup(content, allow_local_network_access))
assert(not dangerous_markup(content, allow_local_network_access))
def _runHtmlReplaceQuoteMarks():

62
utils.py
View File

@ -840,61 +840,61 @@ def get_local_network_addresses() -> []:
return ('localhost', '127.0.', '192.168', '10.0.')
def is_local_network_address(ipAddress: str) -> bool:
def is_local_network_address(ip_address: str) -> bool:
"""Is the given ip address local?
"""
"""
localIPs = get_local_network_addresses()
for ipAddr in localIPs:
if ipAddress.startswith(ipAddr):
local_ips = get_local_network_addresses()
for ip_addr in local_ips:
if ip_address.startswith(ip_addr):
return True
return False
def _isDangerousString(content: str, allow_local_network_access: bool,
separators: [], invalidStrings: []) -> bool:
def _is_dangerous_string(content: str, allow_local_network_access: bool,
separators: [], invalid_strings: []) -> bool:
"""Returns true if the given string is dangerous
"""
for separatorStyle in separators:
startChar = separatorStyle[0]
endChar = separatorStyle[1]
if startChar not in content:
for separator_style in separators:
start_char = separator_style[0]
end_char = separator_style[1]
if start_char not in content:
continue
if endChar not in content:
if end_char not in content:
continue
contentSections = content.split(startChar)
invalidPartials = ()
content_sections = content.split(start_char)
invalid_partials = ()
if not allow_local_network_access:
invalidPartials = get_local_network_addresses()
for markup in contentSections:
if endChar not in markup:
invalid_partials = get_local_network_addresses()
for markup in content_sections:
if end_char not in markup:
continue
markup = markup.split(endChar)[0].strip()
for partialMatch in invalidPartials:
if partialMatch in markup:
markup = markup.split(end_char)[0].strip()
for partial_match in invalid_partials:
if partial_match in markup:
return True
if ' ' not in markup:
for badStr in invalidStrings:
if badStr in markup:
for bad_str in invalid_strings:
if bad_str in markup:
return True
else:
for badStr in invalidStrings:
if badStr + ' ' in markup:
for bad_str in invalid_strings:
if bad_str + ' ' in markup:
return True
return False
def dangerousMarkup(content: str, allow_local_network_access: bool) -> bool:
def dangerous_markup(content: str, allow_local_network_access: bool) -> bool:
"""Returns true if the given content contains dangerous html markup
"""
separators = [['<', '>'], ['&lt;', '&gt;']]
invalidStrings = [
invalid_strings = [
'script', 'noscript', 'code', 'pre',
'canvas', 'style', 'abbr',
'frame', 'iframe', 'html', 'body',
'hr', 'allow-popups', 'allow-scripts'
]
return _isDangerousString(content, allow_local_network_access,
separators, invalidStrings)
return _is_dangerous_string(content, allow_local_network_access,
separators, invalid_strings)
def dangerousSVG(content: str, allow_local_network_access: bool) -> bool:
@ -904,8 +904,8 @@ def dangerousSVG(content: str, allow_local_network_access: bool) -> bool:
invalidStrings = [
'script'
]
return _isDangerousString(content, allow_local_network_access,
separators, invalidStrings)
return _is_dangerous_string(content, allow_local_network_access,
separators, invalidStrings)
def getDisplayName(base_dir: str, actor: str, person_cache: {}) -> str:
@ -929,7 +929,7 @@ def getDisplayName(base_dir: str, actor: str, person_cache: {}) -> str:
if actor_json.get('name'):
nameFound = actor_json['name']
if nameFound:
if dangerousMarkup(nameFound, False):
if dangerous_markup(nameFound, False):
nameFound = "*ADVERSARY*"
return nameFound

4
webapp_timeline.py
View File

@ -11,7 +11,7 @@ import os
import time
from shutil import copyfile
from utils import is_artist
from utils import dangerousMarkup
from utils import dangerous_markup
from utils import get_config_param
from utils import get_full_domain
from utils import is_editor
@ -88,7 +88,7 @@ def _getHelpForTimeline(base_dir: str, boxName: str) -> str:
instanceTitle = 'Epicyon'
with open(helpFilename, 'r') as helpFile:
helpText = helpFile.read()
if dangerousMarkup(helpText, False):
if dangerous_markup(helpText, False):
return ''
helpText = helpText.replace('INSTANCE', instanceTitle)
return '<div class="container">\n' + \