Skip to content
This repository was archived by the owner on Mar 15, 2021. It is now read-only.

Add django interpretation in email template #82

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Add django interpretation in email template #82

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
46db7d2
Add django rendering from email template
julienlh Sep 15, 2017
9066259
Improve performance
julienlh Sep 15, 2017
018cea7
Add tests (security test don't work with load injection)
julienlh Sep 15, 2017
da58ea4
Merge branch 'master' into Add_django_interpretation_in_email_template
Sep 21, 2017
e9ceb20
Add sandbowing to avoid security issues
julienlh Oct 23, 2017
8900a9f
Merge branch 'master' into Add_django_interpretation_in_email_template
Oct 23, 2017
318b592
Merge branch 'master' into Add_django_interpretation_in_email_template
treemo Nov 28, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 12 additions & 12 deletions phishing/helpers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,11 @@
from django.core.mail import EmailMultiAlternatives
from django.core.mail.backends.smtp import EmailBackend
from django.core.urlresolvers import reverse
from django.template import Context
from django.template import Template
from django.template.loader import render_to_string
from django.utils.translation import ugettext_lazy as _
from jinja2.sandbox import SandboxedEnvironment
from pyshorteners import Shortener

from mercure.settings import HOSTNAME
Expand Down Expand Up @@ -210,7 +213,7 @@ def minimize_url(url):
return Shortener('Tinyurl', timeout=10.0).short(url) if url else ''


def replace_template_vars(template, campaign=None, target=None,
def render_jinja2(template, campaign=None, target=None,
email_template=None):
"""Replace vars in template

Expand All @@ -220,16 +223,13 @@ def replace_template_vars(template, campaign=None, target=None,
:param email_template: `.models.EmailTemplate`
:return: content with value
"""
for var in get_template_vars(campaign, target, email_template):
names = (
'{{%s}}' % var['name'],
'{{ %s }}' % var['name']
)
value = var['value'] or ''
for name in names:
template = template.replace(name, value)

return template
vars = get_template_vars(campaign, target, email_template)
env = SandboxedEnvironment()
context = {}
for v in vars:
context[v['name']] = v['value']
tpl = env.from_string(template)
return tpl.render(context)


def start_campaign(campaign):
Expand Down Expand Up @@ -265,7 +265,7 @@ def add_tracker(key, value, infos=None):

# replace template vars helper function
def replace_vars(content):
return replace_template_vars(content, campaign, target,
return render_jinja2(content, campaign, target,
email_template)

# send email
Expand Down
12 changes: 6 additions & 6 deletions phishing/tests/signal.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
from django.urls import reverse
from shutil import copyfile

from phishing.helpers import get_template_vars, replace_template_vars
from phishing.helpers import get_template_vars, render_jinja2
from phishing.models import Attachment, Campaign, EmailTemplate, LandingPage, \
Target, TargetGroup, Tracker, TrackerInfos
from phishing.signals import make_campaign_report, make_menu, \
Expand Down Expand Up @@ -60,7 +60,7 @@ def handler(vars_data, **kwarg):
self.assertEqual(var_data['description'], 'Is a test!')

# test replace
content = replace_template_vars('{{ test_var }}')
content = render_jinja2('{{ test_var }}')
self.assertEqual(content, 'Hello!')

# clean
Expand All @@ -81,7 +81,7 @@ def handler(vars_data, **kwarg):
self.assertEqual(var_data['value'], 'Hello Word!')

# test replace
content = replace_template_vars('{{ email }}')
content = render_jinja2('{{ email }}')
self.assertEqual(content, 'Hello Word!')

# clean
Expand All @@ -100,9 +100,9 @@ def handler(vars_data, **kwarg):
var_data = self.get('email')
self.assertIsNone(var_data)

# test replace
content = replace_template_vars('{{ email }}')
self.assertEqual(content, '{{ email }}')
# test render
content = render_jinja2('{{ email }}')
self.assertEqual(content, '')

# clean
self.assertTrue(make_template_vars.disconnect(handler))
Expand Down
29 changes: 28 additions & 1 deletion phishing/tests/template.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,8 @@
from django.test import TestCase
from django.urls import reverse

from phishing.helpers import minimize_url, get_template_vars
from phishing.helpers import minimize_url, get_template_vars, \
render_jinja2
from phishing.models import Target, TargetGroup, EmailTemplate
from phishing.tests.constant import FIXTURE_PATH

Expand Down Expand Up @@ -240,3 +241,29 @@ def test_delete_email_template_permissions(self):
self.assertEqual(resp.status_code, 200)

# TODO: Test user that is not admin

def test_security_template(self):
# test render
content = render_jinja2('{{ request }}')
self.assertEqual(content, '')

# test render
with self.assertRaises(Exception) as context:
render_jinja2(
"{% include 'phishing/email/tracker_image.html' %}")
self.assertTrue('no loader for this environment specified'
in str(context.exception))

# test load
with self.assertRaises(Exception) as context:
render_jinja2(
'{% load log %}{% get_admin_log 10 as admin_log %}{{ admin_log }}')
self.assertTrue('Encountered unknown tag \'load\'.'
in str(context.exception))

# list load avalible
with self.assertRaises(Exception) as context:
render_jinja2('{% load fghdfhfghd %}')
self.assertTrue('Encountered unknown tag \'load\'.'
in str(context.exception))