fix: disallow urls in full_name during registration (pypi#16663)

miketheman · Sep 9, 2024 · 26db37d · 26db37d
1 parent ad5763d
commit 26db37d
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 5 deletions.
diff --git a/tests/unit/accounts/test_forms.py b/tests/unit/accounts/test_forms.py
@@ -798,6 +798,33 @@ def test_name_contains_null_bytes(self, pyramid_config):
         assert not form.validate()
         assert form.full_name.errors.pop() == "Null bytes are not allowed."
 
+    @pytest.mark.parametrize(
+        "input_name",
+        [
+            "https://example.com",
+            "hello http://example.com",
+            "http://example.com goodbye",
+        ],
+    )
+    def test_name_contains_url(self, pyramid_config, input_name):
+        form = forms.RegistrationForm(
+            request=pretend.stub(),
+            formdata=MultiDict({"full_name": input_name}),
+            user_service=pretend.stub(
+                find_userid=pretend.call_recorder(lambda _: None)
+            ),
+            captcha_service=pretend.stub(
+                enabled=False,
+                verify_response=pretend.call_recorder(lambda _: None),
+            ),
+            breach_service=pretend.stub(check_password=lambda pw, tags=None: True),
+        )
+        assert not form.validate()
+        assert (
+            str(form.full_name.errors.pop())
+            == "URLs are not allowed in the name field."
+        )
+
 
 class TestRequestPasswordResetForm:
     @pytest.mark.parametrize(

diff --git a/warehouse/accounts/forms.py b/warehouse/accounts/forms.py
@@ -356,6 +356,10 @@ class RegistrationForm(  # type: ignore[misc]
                     "Choose a name with 100 characters or less."
                 ),
             ),
+            wtforms.validators.Regexp(
+                r"(?i)(?:(?!:\/\/).)*$",
+                message=_("URLs are not allowed in the name field."),
+            ),
             PreventNullBytesValidator(),
         ]
     )

diff --git a/warehouse/locale/messages.pot b/warehouse/locale/messages.pot
@@ -94,23 +94,27 @@ msgstr ""
 msgid "The name is too long. Choose a name with 100 characters or less."
 msgstr ""
 
-#: warehouse/accounts/forms.py:446
+#: warehouse/accounts/forms.py:361
+msgid "URLs are not allowed in the name field."
+msgstr ""
+
+#: warehouse/accounts/forms.py:450
 msgid "Invalid TOTP code."
 msgstr ""
 
-#: warehouse/accounts/forms.py:463
+#: warehouse/accounts/forms.py:467
 msgid "Invalid WebAuthn assertion: Bad payload"
 msgstr ""
 
-#: warehouse/accounts/forms.py:532
+#: warehouse/accounts/forms.py:536
 msgid "Invalid recovery code."
 msgstr ""
 
-#: warehouse/accounts/forms.py:541
+#: warehouse/accounts/forms.py:545
 msgid "Recovery code has been previously used."
 msgstr ""
 
-#: warehouse/accounts/forms.py:571
+#: warehouse/accounts/forms.py:575
 msgid "The username isn't valid. Try again."
 msgstr ""