[SECURITY] Prevent HTML injection through placeholders in emails

Co-authored-by: luelista <weller@pretix.eu>

src/tests/base/test_mail.py

@@ -33,6 +33,8 @@
 # License for the specific language governing permissions and limitations under the License.
 
 import os
+import re
+from email.mime.text import MIMEText
 
 import pytest
 from django.conf import settings
@@ -40,7 +42,9 @@ from django.core import mail as djmail
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django_scopes import scope
+from i18nfield.strings import LazyI18nString
 
+from pretix.base.email import get_email_context
 from pretix.base.models import Event, Organizer, User
 from pretix.base.services.mail import mail
 
@@ -48,10 +52,14 @@ from pretix.base.services.mail import mail
 @pytest.fixture
 def env():
     o = Organizer.objects.create(name='Dummy', slug='dummy')
+    prop1 = o.meta_properties.get_or_create(name="Test")[0]
+    prop2 = o.meta_properties.get_or_create(name="Website")[0]
     event = Event.objects.create(
         organizer=o, name='Dummy', slug='dummy',
         date_from=now()
     )
+    event.meta_values.update_or_create(property=prop1, defaults={'value': "*Beep*"})
+    event.meta_values.update_or_create(property=prop2, defaults={'value': "https://example.com"})
     user = User.objects.create_user('dummy@dummy.dummy', 'dummy')
     user.email = 'dummy@dummy.dummy'
     user.save()
@@ -158,8 +166,95 @@ def test_send_mail_with_user_locale(env):
 def test_sendmail_placeholder(env):
     djmail.outbox = []
     event, user, organizer = env
-    mail('dummy@dummy.dummy', '{event} Test subject', 'mailtest.txt', {"event": event}, event)
+    mail('dummy@dummy.dummy', '{event} Test subject', 'mailtest.txt', {"event": event.name}, event)
 
     assert len(djmail.outbox) == 1
     assert djmail.outbox[0].to == [user.email]
     assert djmail.outbox[0].subject == 'Dummy Test subject'
+
+
+def _extract_html(mail):
+    for content, mimetype in mail.alternatives:
+        if "multipart/related" in mimetype:
+            for sp in content._payload:
+                if isinstance(sp, MIMEText):
+                    return sp._payload
+                    break
+        elif "text/html" in mimetype:
+            return content
+
+
+@pytest.mark.django_db
+def test_placeholder_html_rendering_from_template(env):
+    djmail.outbox = []
+    event, user, organizer = env
+    event.name = "<strong>event & co. kg</strong>"
+    event.save()
+    mail('dummy@dummy.dummy', '{event} Test subject', 'mailtest.txt', get_email_context(
+        event=event,
+        payment_info="**IBAN**: 123  \n**BIC**: 456",
+    ), event)
+
+    assert len(djmail.outbox) == 1
+    assert djmail.outbox[0].to == [user.email]
+    assert 'Event name: <strong>event & co. kg</strong>' in djmail.outbox[0].body
+    assert '**IBAN**: 123  \n**BIC**: 456' in djmail.outbox[0].body
+    assert '**Meta**: *Beep*' in djmail.outbox[0].body
+    assert 'Event website: [<strong>event & co. kg</strong>](https://example.org/dummy)' in djmail.outbox[0].body
+    assert 'Other website: [<strong>event & co. kg</strong>](https://example.com)' in djmail.outbox[0].body
+    assert '&lt;' not in djmail.outbox[0].body
+    assert '&amp;' not in djmail.outbox[0].body
+    html = _extract_html(djmail.outbox[0])
+
+    assert '<strong>event' not in html
+    assert 'Event name: &lt;strong&gt;event &amp; co. kg&lt;/strong&gt;' in html
+    assert '<strong>IBAN</strong>: 123<br/>\n<strong>BIC</strong>: 456' in html
+    assert '<strong>Meta</strong>: <em>Beep</em>' in html
+    assert re.search(
+        r'Event website: <a href="https://example.org/dummy" rel="noopener" style="[^"]+" target="_blank">&lt;strong&gt;event &amp; co. kg&lt;/strong&gt;</a>',
+        html
+    )
+    assert re.search(
+        r'Other website: <a href="https://example.com" rel="noopener" style="[^"]+" target="_blank">&lt;strong&gt;event &amp; co. kg&lt;/strong&gt;</a>',
+        html
+    )
+
+
+@pytest.mark.django_db
+def test_placeholder_html_rendering_from_string(env):
+    template = LazyI18nString({
+        "en": "Event name: {event}\n\nPayment info:\n{payment_info}\n\n**Meta**: {meta_Test}\n\n"
+              "Event website: [{event}](https://example.org/{event_slug})\n\n"
+              "Other website: [{event}]({meta_Website})"
+    })
+    djmail.outbox = []
+    event, user, organizer = env
+    event.name = "<strong>event & co. kg</strong>"
+    event.save()
+    mail('dummy@dummy.dummy', '{event} Test subject', template, get_email_context(
+        event=event,
+        payment_info="**IBAN**: 123  \n**BIC**: 456",
+    ), event)
+
+    assert len(djmail.outbox) == 1
+    assert djmail.outbox[0].to == [user.email]
+    assert 'Event name: <strong>event & co. kg</strong>' in djmail.outbox[0].body
+    assert 'Event website: [<strong>event & co. kg</strong>](https://example.org/dummy)' in djmail.outbox[0].body
+    assert 'Other website: [<strong>event & co. kg</strong>](https://example.com)' in djmail.outbox[0].body
+    assert '**IBAN**: 123  \n**BIC**: 456' in djmail.outbox[0].body
+    assert '**Meta**: *Beep*' in djmail.outbox[0].body
+    assert '&lt;' not in djmail.outbox[0].body
+    assert '&amp;' not in djmail.outbox[0].body
+    html = _extract_html(djmail.outbox[0])
+    assert '<strong>event' not in html
+    assert 'Event name: &lt;strong&gt;event &amp; co. kg&lt;/strong&gt;' in html
+    assert '<strong>IBAN</strong>: 123<br/>\n<strong>BIC</strong>: 456' in html
+    assert '<strong>Meta</strong>: <em>Beep</em>' in html
+    assert re.search(
+        r'Event website: <a href="https://example.org/dummy" rel="noopener" style="[^"]+" target="_blank">&lt;strong&gt;event &amp; co. kg&lt;/strong&gt;</a>',
+        html
+    )
+    assert re.search(
+        r'Other website: <a href="https://example.com" rel="noopener" style="[^"]+" target="_blank">&lt;strong&gt;event &amp; co. kg&lt;/strong&gt;</a>',
+        html
+    )

src/tests/helpers/test_format.py

@@ -40,6 +40,5 @@ def test_format_alternatives():
         )
     }
 
-    assert format_map("Foo {bar}", ctx, mode=SafeFormatter.MODE_IGNORE_RICH) == "Foo {bar}"
     assert format_map("Foo {bar}", ctx, mode=SafeFormatter.MODE_RICH_TO_PLAIN) == "Foo plain text"
     assert format_map("Foo {bar}", ctx, mode=SafeFormatter.MODE_RICH_TO_HTML) == "Foo <span>HTML version</span>"

src/tests/templates/mailtest.txt

@@ -1,4 +1,13 @@
 {% load i18n %}
 This is a test file for sending mails.
+Event name: {event}
 {% get_current_language as LANGUAGE_CODE %}
 The language code used for rendering this email is {{ LANGUAGE_CODE }}.
+
+Payment info:
+{payment_info}
+
+**Meta**: {meta_Test}
+
+Event website: [{event}](https://example.org/{event_slug})
+Other website: [{event}]({meta_Website})