Prevent external redirects

2025-08-08 19:28:29 +02:00 · 2022-03-25 18:29:54 +01:00
parent 1ffc3e0266
commit edb71286e7
11 changed files with 94 additions and 40 deletions
--- a/bookmarks/tests/test_bookmark_edit_view.py
+++ b/bookmarks/tests/test_bookmark_edit_view.py
@@ -20,7 +20,6 @@ class BookmarkEditViewTestCase(TestCase, BookmarkFactoryMixin):
            'tag_string': 'editedtag1 editedtag2',
            'title': 'edited title',
            'description': 'edited description',
-            'return_url': reverse('bookmarks:index'),
        }
        return {**form_data, **overrides}

@@ -40,17 +39,6 @@ class BookmarkEditViewTestCase(TestCase, BookmarkFactoryMixin):
        self.assertEqual(bookmark.tags.all()[0].name, 'editedtag1')
        self.assertEqual(bookmark.tags.all()[1].name, 'editedtag2')

-    def test_should_use_bookmark_index_as_default_return_url(self):
-        bookmark = self.setup_bookmark()
-
-        response = self.client.get(reverse('bookmarks:edit', args=[bookmark.id]))
-        html = response.content.decode()
-
-        self.assertInHTML(
-            '<input type="hidden" name="return_url" value="{0}" '
-            'id="id_return_url">'.format(reverse('bookmarks:index')),
-            html)
-
    def test_should_prefill_bookmark_form_fields(self):
        tag1 = self.setup_tag()
        tag2 = self.setup_tag()
@@ -81,21 +69,30 @@ class BookmarkEditViewTestCase(TestCase, BookmarkFactoryMixin):
                          '</textarea>'.format(bookmark.description),
                          html)

-    def test_should_prefill_return_url_from_url_parameter(self):
-        bookmark = self.setup_bookmark()
-
-        response = self.client.get(reverse('bookmarks:edit', args=[bookmark.id]) + '?return_url=/test-return-url')
-        html = response.content.decode()
-
-        self.assertInHTML('<input type="hidden" name="return_url" value="/test-return-url" id="id_return_url">', html)
-
    def test_should_redirect_to_return_url(self):
        bookmark = self.setup_bookmark()
-        form_data = self.create_form_data({'return_url': reverse('bookmarks:close')})
+        form_data = self.create_form_data()
+
+        url = reverse('bookmarks:edit', args=[bookmark.id]) + '?return_url=' + reverse('bookmarks:close')
+        response = self.client.post(url, form_data)
+
+        self.assertRedirects(response, reverse('bookmarks:close'))
+
+    def test_should_redirect_to_bookmark_index_by_default(self):
+        bookmark = self.setup_bookmark()
+        form_data = self.create_form_data()

        response = self.client.post(reverse('bookmarks:edit', args=[bookmark.id]), form_data)

-        self.assertRedirects(response, form_data['return_url'])
+        self.assertRedirects(response, reverse('bookmarks:index'))
+
+    def test_should_not_redirect_to_external_url(self):
+        bookmark = self.setup_bookmark()
+        form_data = self.create_form_data({'return_url': 'https://example.com'})
+
+        response = self.client.post(reverse('bookmarks:edit', args=[bookmark.id]), form_data)
+
+        self.assertRedirects(response, reverse('bookmarks:index'))

    def test_can_only_edit_own_bookmarks(self):
        other_user = User.objects.create_user('otheruser', 'otheruser@example.com', 'password123')