[SECURITY] Prevent phishing through misleading link titles

2026-05-03 14:54:04 +00:00 · 2020-12-18 18:22:52 +01:00
parent 2239128971
commit d7a12cc1ee
2 changed files with 76 additions and 2 deletions
--- a/src/pretix/base/templatetags/rich_text.py
+++ b/src/pretix/base/templatetags/rich_text.py
@@ -1,3 +1,4 @@
+import re
 import urllib.parse

 import bleach
@@ -71,6 +72,10 @@ EMAIL_RE = build_email_re(tlds=sorted(tld_set, key=len, reverse=True))


 def safelink_callback(attrs, new=False):
+    """
+    Makes sure that all links to a different domain are passed through a redirection handler
+    to ensure there's no passing of referers with secrets inside them.
+    """
    url = attrs.get((None, 'href'), '/')
    if not url_has_allowed_host_and_scheme(url, allowed_hosts=None) and not url.startswith('mailto:') and not url.startswith('tel:'):
        signer = signing.Signer(salt='safe-redirect')
@@ -80,7 +85,42 @@ def safelink_callback(attrs, new=False):
    return attrs


+def truelink_callback(attrs, new=False):
+    """
+    Tries to prevent "phishing" attacks in which a link looks like it points to a safe place but instead
+    points somewhere else, e.g.
+
+        <a href="https://evilsite.com">https://google.com</a>
+
+    At the same time, custom texts are still allowed:
+
+        <a href="https://maps.google.com">Get to the event</a>
+
+    Suffixes are also allowed:
+
+        <a href="https://maps.google.com/location/foo">https://maps.google.com</a>
+    """
+    text = re.sub('[^a-zA-Z0-9.-/_]', '', attrs.get('_text'))  # clean up link text
+    if URL_RE.match(text):
+        # link text looks like a url
+        if text.startswith('//'):
+            text = 'https:' + text
+        elif not text.startswith('http'):
+            text = 'https://' + text
+
+        text_url = urllib.parse.urlparse(text)
+        href_url = urllib.parse.urlparse(attrs[None, 'href'])
+        if text_url.netloc != href_url.netloc or not href_url.path.startswith(href_url.path):
+            # link text contains an URL that has a different base than the actual URL
+            attrs['_text'] = attrs[None, 'href']
+    return attrs
+
+
 def abslink_callback(attrs, new=False):
+    """
+    Makes sure that all links will be absolute links and will be opened in a new page with no
+    window.opener attribute.
+    """
    url = attrs.get((None, 'href'), '/')
    if not url.startswith('mailto:') and not url.startswith('tel:'):
        attrs[None, 'href'] = urllib.parse.urljoin(settings.SITE_URL, url)
@@ -93,6 +133,7 @@ def markdown_compile_email(source):
    linker = bleach.Linker(
        url_re=URL_RE,
        email_re=EMAIL_RE,
+        callbacks=DEFAULT_CALLBACKS + [truelink_callback, abslink_callback],
        parse_email=True
    )
    return linker.linkify(bleach.clean(
@@ -145,7 +186,7 @@ def rich_text(text: str, **kwargs):
    linker = bleach.Linker(
        url_re=URL_RE,
        email_re=EMAIL_RE,
-        callbacks=DEFAULT_CALLBACKS + ([safelink_callback] if kwargs.get('safelinks', True) else [abslink_callback]),
+        callbacks=DEFAULT_CALLBACKS + ([truelink_callback, safelink_callback] if kwargs.get('safelinks', True) else [truelink_callback, abslink_callback]),
        parse_email=True
    )
    body_md = linker.linkify(markdown_compile(text))
@@ -161,7 +202,7 @@ def rich_text_snippet(text: str, **kwargs):
    linker = bleach.Linker(
        url_re=URL_RE,
        email_re=EMAIL_RE,
-        callbacks=DEFAULT_CALLBACKS + ([safelink_callback] if kwargs.get('safelinks', True) else [abslink_callback]),
+        callbacks=DEFAULT_CALLBACKS + ([truelink_callback, safelink_callback] if kwargs.get('safelinks', True) else [truelink_callback, abslink_callback]),
        parse_email=True
    )
    body_md = linker.linkify(markdown_compile(text, snippet=True))
--- a/src/tests/base/test_rich_text.py
+++ b/src/tests/base/test_rich_text.py
@@ -0,0 +1,33 @@
+import pytest
+
+from pretix.base.templatetags.rich_text import rich_text, rich_text_snippet, markdown_compile_email
+
+
+@pytest.mark.parametrize("link", [
+    # Test link detection
+    ("google.com",
+     '<a href="http://google.com" rel="noopener" target="_blank">google.com</a>'),
+    # Test abslink_callback
+    ("[Call](tel:+12345)",
+     '<a href="tel:+12345" rel="nofollow">Call</a>'),
+    ("[Foo](/foo)",
+     '<a href="http://example.com/foo" rel="noopener" target="_blank">Foo</a>'),
+    ("mail@example.org",
+     '<a href="mailto:mail@example.org">mailto:mail@example.org</a>'),
+    # Test truelink_callback
+    ('<a href="https://evilsite.com">Evil Site</a>',
+     '<a href="https://evilsite.com" rel="noopener" target="_blank">Evil Site</a>'),
+    ('<a href="https://evilsite.com">evilsite.com</a>',
+     '<a href="https://evilsite.com" rel="noopener" target="_blank">evilsite.com</a>'),
+    ('<a href="https://evilsite.com">goodsite.com</a>',
+     '<a href="https://evilsite.com" rel="noopener" target="_blank">https://evilsite.com</a>'),
+    ('<a href="https://goodsite.com.evilsite.com">goodsite.com</a>',
+     '<a href="https://goodsite.com.evilsite.com" rel="noopener" target="_blank">https://goodsite.com.evilsite.com</a>'),
+    ('<a href="https://evilsite.com/deep/path">evilsite.com</a>',
+     '<a href="https://evilsite.com/deep/path" rel="noopener" target="_blank">evilsite.com</a>'),
+])
+def test_linkify_abs(link):
+    input, output = link
+    assert rich_text_snippet(input, safelinks=False) == output
+    assert rich_text(input, safelinks=False) == f'<p>{output}</p>'
+    assert markdown_compile_email(input) == f'<p>{output}</p>'