fix(security): add better verification for links
This commit is contained in:
parent
6f018c97d4
commit
2658a6df65
27
app.py
27
app.py
|
@ -1,17 +1,34 @@
|
||||||
from flask import Flask, render_template, request, redirect, url_for, \
|
from flask import Flask, render_template, request, redirect, make_response, \
|
||||||
make_response, Markup
|
Markup
|
||||||
from enum import Enum
|
from enum import Enum
|
||||||
from bs4 import BeautifulSoup
|
from bs4 import BeautifulSoup
|
||||||
|
import re
|
||||||
|
|
||||||
app = Flask('ui', static_url_path="/static")
|
app = Flask('ui', static_url_path="/static")
|
||||||
app.config['TEMPLATES_AUTO_RELOAD'] = True
|
app.config['TEMPLATES_AUTO_RELOAD'] = True
|
||||||
|
|
||||||
|
DEBUG = False
|
||||||
|
|
||||||
|
|
||||||
class Status(Enum):
|
class Status(Enum):
|
||||||
ERREUR_LIEN = "Le lien doit être en http ou https !"
|
ERREUR_LIEN = "Le lien doit être en http ou https et valide !"
|
||||||
BON = "Lien ajouté !"
|
BON = "Lien ajouté !"
|
||||||
|
|
||||||
|
|
||||||
|
def valideUrl(url: str) -> bool:
|
||||||
|
# thx django
|
||||||
|
regex = re.compile(
|
||||||
|
r'^(?:http|ftp)s?://' # http:// or https://
|
||||||
|
r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' # domain...
|
||||||
|
r'localhost|' # localhost...
|
||||||
|
r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|' # ...or ipv4
|
||||||
|
r'\[?[A-F0-9]*:[A-F0-9:]+\]?)' # ...or ipv6
|
||||||
|
r'(?::\d+)?' # optional port
|
||||||
|
r'(?:/?|[/?]\S+)$', re.IGNORECASE)
|
||||||
|
|
||||||
|
return bool(re.search(regex, url))
|
||||||
|
|
||||||
|
|
||||||
def ecritureFichierHtml(nouvLien, cheminFichier):
|
def ecritureFichierHtml(nouvLien, cheminFichier):
|
||||||
with open(cheminFichier, 'r+') as file:
|
with open(cheminFichier, 'r+') as file:
|
||||||
soup = BeautifulSoup(file, 'html.parser')
|
soup = BeautifulSoup(file, 'html.parser')
|
||||||
|
@ -46,7 +63,7 @@ def bizutage_redirect():
|
||||||
def bizutage():
|
def bizutage():
|
||||||
if request.method == "POST":
|
if request.method == "POST":
|
||||||
lien = request.values['lien'].lower()
|
lien = request.values['lien'].lower()
|
||||||
if not (lien.startswith("http") or lien.startswith("https")):
|
if not valideUrl(lien):
|
||||||
return render_template(
|
return render_template(
|
||||||
"ajout.html",
|
"ajout.html",
|
||||||
erreur=Status.ERREUR_LIEN.value
|
erreur=Status.ERREUR_LIEN.value
|
||||||
|
@ -72,4 +89,4 @@ def bizutage():
|
||||||
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
app.run(debug=True)
|
app.run(debug=DEBUG)
|
||||||
|
|
Loading…
Reference in a new issue