コード例 #1
0
    def test_sanitize_article_body_with_evil_img_tag(self):
        target_html = '''
        <h2>sample h2</h2>
        <img src="http://{domain}/hoge.png" onerror='document.alert('evil')'>
        '''.format(domain=os.environ['DOMAIN'])

        expected_html = '''
        <h2>sample h2</h2>
        <img src="http://{domain}/hoge.png">
        '''.format(domain=os.environ['DOMAIN'])

        result = TextSanitizer.sanitize_article_body(target_html)

        self.assertEqual(result, expected_html)
コード例 #2
0
    def test_sanitize_article_body_with_evil_a_tag(self):
        target_html = '''
        <h2>sample h2</h2>
        <a href="http://example.com" onclick="document.alert("evil")">link</a>
        '''

        expected_html = '''
        <h2>sample h2</h2>
        <a href="http://example.com">link</a>
        '''

        result = TextSanitizer.sanitize_article_body(target_html)

        self.assertEqual(result, expected_html)
コード例 #3
0
    def test_sanitize_article_body_with_figcaption_unauthorized_attribute(self):
        target_html = '''
        <h2>sample h2</h2>
        <figcaption contenteditable='false' class='hoge' data='aaa'></figcaption>
        '''

        expected_html = '''
        <h2>sample h2</h2>
        <figcaption></figcaption>
        '''

        result = TextSanitizer.sanitize_article_body(target_html)

        self.assertEqual(result, expected_html)
コード例 #4
0
    def test_sanitize_article_body_with_evil_other_site_url(self):
        target_html = '''
        <h2>sample h2</h2>
        <img src="http://hoge.com/hoge.png">
        '''

        expected_html = '''
        <h2>sample h2</h2>
        <img>
        '''

        result = TextSanitizer.sanitize_article_body(target_html)

        self.assertEqual(result, expected_html)
コード例 #5
0
    def test_sanitize_article_body_with_a_unauthorized_class(self):
        target_html = '''
        <h2>sample h2</h2>
        <a href="hogehoge" data='aaa'></a>
        '''

        expected_html = '''
        <h2>sample h2</h2>
        <a href="hogehoge"></a>
        '''

        result = TextSanitizer.sanitize_article_body_v2(target_html)

        self.assertEqual(result, expected_html)
コード例 #6
0
    def test_sanitize_article_body_with_div_unauthorized_class(self):
        target_html = '''
        <h2>sample h2</h2>
        <div class='hoge piyo' data='aaa'></div>
        '''

        expected_html = '''
        <h2>sample h2</h2>
        <div></div>
        '''

        result = TextSanitizer.sanitize_article_body(target_html)

        self.assertEqual(result, expected_html)
コード例 #7
0
    def test_sanitize_article_body_with_div(self):
        target_html = '''
        <h2>sample h2</h2>
        <script>document.alert('evil')</script>
        '''

        expected_html = '''
        <h2>sample h2</h2>
        &lt;script&gt;document.alert('evil')&lt;/script&gt;
        '''

        result = TextSanitizer.sanitize_article_body(target_html)

        self.assertEqual(result, expected_html)
コード例 #8
0
    def test_sanitize_article_body_with_oembed_unauthorized_class(self):
        target_html = '''
        <h2>sample h2</h2>
        <oembed src='hogehoge' data='aaa'></oembed>
        '''

        expected_html = '''
        <h2>sample h2</h2>
        <oembed></oembed>
        '''

        result = TextSanitizer.sanitize_article_body_v2(target_html)

        self.assertEqual(result, expected_html)
コード例 #9
0
    def test_sanitize_article_body_with_figure_unauthorized_class(self):
        target_html = '''
        <h2>sample h2</h2>
        <figure class='image hogehoge' data='aaa'></figure>
        '''

        expected_html = '''
        <h2>sample h2</h2>
        <figure></figure>
        '''

        result = TextSanitizer.sanitize_article_body_v2(target_html)

        self.assertEqual(result, expected_html)
コード例 #10
0
    def test_sanitize_text(self):
        target_html = '''
        Sample text
        <script>document.alert('evil')</script>
        '''

        expected_html = '''
        Sample text
        &lt;script&gt;document.alert('evil')&lt;/script&gt;
        '''

        result = TextSanitizer.sanitize_text(target_html)

        self.assertEqual(result, expected_html)
コード例 #11
0
    def test_sanitize_article_body_with_figure_unauthorized_contenteditable(self):
        target_html = '''
        <h2>sample h2</h2>
        <figure contenteditable='true' data='aaa'></figure>
        '''

        expected_html = '''
        <h2>sample h2</h2>
        <figure></figure>
        '''

        result = TextSanitizer.sanitize_article_body(target_html)

        self.assertEqual(result, expected_html)
コード例 #12
0
    def __create_article_fraud_user(self, article_fraud_user_table):
        article_fraud_user = {
            'article_id': self.event['pathParameters']['article_id'],
            'user_id': self.event['requestContext']['authorizer']['claims']['cognito:username'],
            'reason': self.params.get('reason'),
            'origin_url': self.params.get('origin_url'),
            'free_text': TextSanitizer.sanitize_text(self.params.get('free_text')),
            'created_at': int(time.time())
        }
        DBUtil.items_values_empty_to_none(article_fraud_user)

        article_fraud_user_table.put_item(
            Item=article_fraud_user,
            ConditionExpression='attribute_not_exists(article_id)'
        )
コード例 #13
0
    def test_sanitize_article_body_with_div_unauthorized_url(self):
        target_html = '''
        <h2>sample h2</h2>
        <div class='hoge piyo' data='aaa' contenteditable='true'></div>
        <div data-alis-iframely-url="https://example.com/hoge?<script>piyo</script>">hoge</div>
        '''

        expected_html = '''
        <h2>sample h2</h2>
        <div></div>
        <div>hoge</div>
        '''

        result = TextSanitizer.sanitize_article_body(target_html)

        self.assertEqual(result, expected_html)
コード例 #14
0
    def test_sanitize_article_body(self):
        target_html = '''
        <h2>sample h2</h2>

        <h3>sample h3</h3>

        <i>icon</i><p>sentence</p><u>under bar</u>

        <b>bold</b><br><blockquote>blockquote</blockquote>
        <div class="medium-insert-images">
            <figure contenteditable="false">
                <img src="http://{domain}/hoge">
                <figcaption class="" contenteditable="true">aaaaaa</figcaption>
            </figure>
        </div>
        <div class="medium-insert-images medium-insert-images-left" contenteditable="false">
            <figure contenteditable="false">
                <img src="http://{domain}/hoge">
                <figcaption class="" contenteditable="true"></figcaption>
            </figure>
        </div>
        <div class="medium-insert-images medium-insert-images-right" contenteditable="false">
            <figure contenteditable="false">
                <img src="http://{domain}/hoge">
                <figcaption contenteditable="true">aaaaaa</figcaption>
            </figure>
        </div>
        <div class="medium-insert-images medium-insert-images-grid">
            <figure contenteditable="false">
                <img src="http://{domain}/hoge">
                <figcaption class="">aaaaaa</figcaption>
            </figure>
        </div>
        <div class="medium-insert-images medium-insert-images-wide">
            <figure contenteditable="false">
                <img src="http://{domain}/hoge">
            </figure>
        </div>
        <a href="http://example.com">link</a>
        <div data-alis-iframely-url="https://twitter.com/hoge">hoge</div>
        <div data-alis-iframely-url="https://example.com/hoge?x=1">hoge</div>
        <div data-alis-iframely-url="http://example.com/hoge?x=1%3Cdiv%3Ehoge%3C%2Fdiv%3E">hoge</div>
        '''.format(domain=os.environ['DOMAIN'])

        result = TextSanitizer.sanitize_article_body(target_html)

        self.assertEqual(result, target_html)
コード例 #15
0
    def exec_main_proc(self):
        # 下書き記事を保存
        expression_attribute_values = {
            ':body':
            TextSanitizer.sanitize_article_body_v2(self.params.get('body'))
        }
        DBUtil.items_values_empty_to_none(expression_attribute_values)
        self.__update_article_content(expression_attribute_values)
        # 履歴を保存
        DBUtil.put_article_content_edit_history(
            dynamodb=self.dynamodb,
            user_id=self.event['requestContext']['authorizer']['claims']
            ['cognito:username'],
            article_id=self.params.get('article_id'),
            sanitized_body=expression_attribute_values[':body'])

        return {'statusCode': 200}
コード例 #16
0
    def exec_main_proc(self):
        sort_key = TimeUtil.generate_sort_key()
        user_id = self.event['requestContext']['authorizer']['claims'][
            'cognito:username']

        comment_id = self.__generate_comment_id(sort_key)

        comment_table = self.dynamodb.Table(os.environ['COMMENT_TABLE_NAME'])

        comment = {
            'comment_id': comment_id,
            'article_id': self.params['article_id'],
            'text': TextSanitizer.sanitize_text(self.params['text']),
            'user_id': user_id,
            'sort_key': sort_key,
            'created_at': int(time.time())
        }

        comment_table.put_item(
            Item=comment,
            ConditionExpression='attribute_not_exists(comment_id)')

        # 優先度が低いため通知処理は失敗しても握り潰して200を返す(ログは出して検知できるようにする)
        try:
            article_info_table = self.dynamodb.Table(
                os.environ['ARTICLE_INFO_TABLE_NAME'])
            article_info = article_info_table.get_item(
                Key={'article_id': self.params['article_id']})['Item']

            if self.__is_notifiable_comment(article_info, user_id):
                self.__create_comment_notification(article_info, comment_id,
                                                   user_id)
                self.__update_unread_notification_manager(article_info)

        except Exception as err:
            logging.fatal(err)
            traceback.print_exc()
        finally:
            return {
                'statusCode': 200,
                'body': json.dumps({'comment_id': comment_id})
            }
コード例 #17
0
    def exec_main_proc(self):
        article_content_edit_table = self.dynamodb.Table(
            os.environ['ARTICLE_CONTENT_EDIT_TABLE_NAME'])

        expression_attribute_values = {
            ':user_id':
            self.event['requestContext']['authorizer']['claims']
            ['cognito:username'],
            ':title':
            TextSanitizer.sanitize_text(self.params.get('title'))
        }
        DBUtil.items_values_empty_to_none(expression_attribute_values)

        article_content_edit_table.update_item(
            Key={
                'article_id': self.params['article_id'],
            },
            UpdateExpression="set user_id=:user_id, title=:title",
            ExpressionAttributeValues=expression_attribute_values)

        return {'statusCode': 200}
コード例 #18
0
    def test_sanitize_text(self):
        target_html = '''
        Sample text
        <script>document.alert('evil')</script>
        <b>bold</b>
        <h2>sample h2</h2>
        <h3>sample h3</h3>
        <i>icon</i><p>sentence</p><u>under bar</u>
        <b>bold</b><br><blockquote>blockquote</blockquote>
        '''

        expected_html = '''
        Sample text
        &lt;script&gt;document.alert('evil')&lt;/script&gt;
        &lt;b&gt;bold&lt;/b&gt;
        &lt;h2&gt;sample h2&lt;/h2&gt;
        &lt;h3&gt;sample h3&lt;/h3&gt;
        &lt;i&gt;icon&lt;/i&gt;&lt;p&gt;sentence&lt;/p&gt;&lt;u&gt;under bar&lt;/u&gt;
        &lt;b&gt;bold&lt;/b&gt;&lt;br&gt;&lt;blockquote&gt;blockquote&lt;/blockquote&gt;
        '''

        result = TextSanitizer.sanitize_text(target_html)

        self.assertEqual(result, expected_html)
コード例 #19
0
    def test_sanitize_article_body_with_none_text(self):
        result = TextSanitizer.sanitize_text(None)

        self.assertEqual(result, None)
コード例 #20
0
    def test_validate_img_url_ok(self):
        img_url = 'https://' + os.environ['DOMAIN'] + '/img/test.jpg'
        result = TextSanitizer.validate_img_url(img_url)

        self.assertEqual(result, True)
コード例 #21
0
    def test_validate_img_url_ok_root_path(self):
        img_url = 'img/test.jpg'
        result = TextSanitizer.validate_img_url(img_url)

        self.assertEqual(result, True)
コード例 #22
0
 def test_validate_img_url_ng_not_domain(self):
     with self.assertRaises(ValidationError):
         img_url = 'https://test.to/test.jpg'
         TextSanitizer.validate_img_url(img_url)