Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add honeypot to Source Interface to stop very basic spambots #6302

Merged
merged 1 commit into from
Feb 25, 2022
Merged

Add honeypot to Source Interface to stop very basic spambots #6302

merged 1 commit into from
Feb 25, 2022

Conversation

legoktm
Copy link
Member

@legoktm legoktm commented Feb 22, 2022
edited
Loading

Status

Ready for review

Description of Changes

Add a hidden, empty input field to the Source Interface form that will
abort if anything is submitted in it. This will hopefully stop the most
basic of spambots that fill in spam in every form field they see and
submit the form. It is unlikely to stop any spambot specifically
designed for SecureDrop, as those will adapt as necessary.

This is inspired by and copied from MediaWiki's "SimpleAntiSpam"
functionality originally written by Ryan Schmidt[1].

[1] https://www.mediawiki.org/w/index.php?oldid=797352

Fixes #6295.

Testing

  • Create a new source and submit a dummy message in the SI, observe that it works fine
  • Use the browser's inspector to disable the "display: none", write something in the antispam input field, and submit. You should get a 403 error screen.

Deployment

No concerns.

Checklist

If you made changes to the server application code:

  • Linting (make lint) and tests (make test) pass in the development container
  • I have written a test plan and validated it for this PR
  • These changes do not require documentation

@legoktm
Copy link
Member Author

legoktm commented Feb 22, 2022

The HTML lint check is failing with:

securedrop/source_templates/lookup.html:61:10: Error: Separation of concerns: CSS should be defined in its own file: Move the contents of the "style" attribute to its own CSS file.

Putting the CSS inline is intentional, it ensures the field is always hidden, regardless of other CSS rules or if CSS fails to load for whatever reason. That said, I don't think it's a big loss to put it in the CSS and can do so if others think we should.

@zenmonkeykstop
Copy link
Contributor

zenmonkeykstop commented Feb 24, 2022
edited
Loading

👍 to managing it via SASS like the rest of the CSS. Don't want to end up with a bunch of unnecessary linting exemptions

@legoktm legoktm force-pushed the 6295-simpleantispam branch from c5e63e5 to d0077cc Compare February 24, 2022 19:56
@legoktm
Copy link
Member Author

legoktm commented Feb 24, 2022

Latest version renamed the form field to a boring "text", while keeping the name "antispam" server-side. And moved the inline styling to CSS.

@legoktm
Add honeypot to Source Interface to stop very basic spambots
bc55225 
Add a hidden, empty input field to the Source Interface form that will
abort if anything is submitted in it. This will hopefully stop the most
basic of spambots that fill in spam in every form field they see and
submit the form. It is unlikely to stop any spambot specifically
designed for SecureDrop, as those will adapt as necessary.

This is inspired by and copied from MediaWiki's "SimpleAntiSpam"
functionality originally written by Ryan Schmidt[1].

[1] https://www.mediawiki.org/w/index.php?oldid=797352

Fixes #6295.
@legoktm legoktm force-pushed the 6295-simpleantispam branch from d0077cc to bc55225 Compare February 24, 2022 22:12
@legoktm legoktm marked this pull request as ready for review February 24, 2022 23:14
@legoktm legoktm requested a review from a team as a code owner February 24, 2022 23:14
@zenmonkeykstop zenmonkeykstop self-assigned this Feb 24, 2022
@zenmonkeykstop zenmonkeykstop added this to the 2.3.0 milestone Feb 24, 2022
zenmonkeykstop
zenmonkeykstop approved these changes Feb 25, 2022
View reviewed changes
Copy link
Contributor

@zenmonkeykstop zenmonkeykstop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test plan looks good, code changes are minimal, field name is sufficiently boring. 👍

@zenmonkeykstop zenmonkeykstop merged commit d9d72d5 into develop Feb 25, 2022
@zenmonkeykstop zenmonkeykstop deleted the 6295-simpleantispam branch February 25, 2022 16:10
@zenmonkeykstop zenmonkeykstop mentioned this pull request Mar 17, 2022
Closed
34 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zenmonkeykstop zenmonkeykstop zenmonkeykstop approved these changes

Assignees

@zenmonkeykstop zenmonkeykstop

Labels
None yet
Projects
None yet
Milestone
2.3.0
Development

Successfully merging this pull request may close these issues.

Add honeypot field to SI message form to block automated submissions
2 participants
@legoktm @zenmonkeykstop