From 60ae676075f862d27a402d5b2c70fdebc6fe1190 Mon Sep 17 00:00:00 2001 From: Kevin Morris Date: Thu, 13 Jan 2022 19:19:06 -0800 Subject: [PATCH] fix(util): catch homepage validation exceptions We were allowing erroneous URLs through, raising exceptions, from e.g. `http://[localhost:8444/blah`. This patch catches any ValueErrors raised during the parse process and returns False, indicating that the validation failed. This patch also adds testing specifically for `util.valid_homepage`. We didn't have specific testing for this before; this will allow us to catch regressions in this area. Closes #250 Signed-off-by: Kevin Morris --- aurweb/util.py | 5 ++++- test/test_util.py | 9 +++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/aurweb/util.py b/aurweb/util.py index 0eb2671e..bda743fd 100644 --- a/aurweb/util.py +++ b/aurweb/util.py @@ -63,7 +63,10 @@ def valid_email(email): def valid_homepage(homepage): - parts = urlparse(homepage) + try: + parts = urlparse(homepage) + except ValueError: + return False return parts.scheme in ("http", "https") and bool(parts.netloc) diff --git a/test/test_util.py b/test/test_util.py index 41876fbf..91a0f475 100644 --- a/test/test_util.py +++ b/test/test_util.py @@ -85,3 +85,12 @@ async def test_error_or_result(): response = await util.error_or_result(good_route, Request()) assert response.status_code == HTTPStatus.OK + + +def test_valid_homepage(): + assert util.valid_homepage("http://google.com") + assert util.valid_homepage("https://google.com") + assert not util.valid_homepage("http://[google.com/broken-ipv6") + assert not util.valid_homepage("https://[google.com/broken-ipv6") + + assert not util.valid_homepage("gopher://gopher.hprc.utoronto.ca/")