SECURITY: ERB execution in custom Email Style

This commit is contained in:
Robin Ward 2020-05-21 14:26:03 -04:00
parent 5a71c51ddd
commit d11c462104
3 changed files with 113 additions and 103 deletions

View File

@ -25,12 +25,8 @@ module EmailHelper
raw "<a href='#{Discourse.base_url}#{url}' style='color: ##{@anchor_color}'>#{title}</a>"
end
def email_html_template(binding_arg)
template = EmailStyle.new.html.sub(
'%{email_content}',
'<%= yield %><% if defined?(html_body) %><%= html_body %><% end %>'
)
ERB.new(template).result(binding_arg)
def email_html_template
EmailStyle.new.html.sub('%{email_content}', yield).html_safe
end
protected

View File

@ -2,5 +2,8 @@
<%= yield %>
<% if defined?(html_body) %><%= html_body %><% end %>
<% else %>
<%= email_html_template(binding).html_safe %>
<%= email_html_template do %>
<%= yield %>
<% if defined?(html_body) %><%= html_body %><% end %>
<% end %>
<% end %>

View File

@ -3,128 +3,139 @@
require "rails_helper"
describe EmailStyle do
before do
SiteSetting.email_custom_template = "<body><h1>FOR YOU</h1><div>%{email_content}</div></body>"
SiteSetting.email_custom_css = 'h1 { color: red; } div.body { color: #FAB; }'
SiteSetting.email_custom_css_compiled = SiteSetting.email_custom_css
end
after do
SiteSetting.remove_override!(:email_custom_template)
SiteSetting.remove_override!(:email_custom_css)
end
context 'invite' do
fab!(:invite) { Fabricate(:invite) }
let(:invite_mail) { InviteMailer.send_invite(invite) }
subject(:mail_html) { Email::Renderer.new(invite_mail).html }
it 'applies customizations' do
expect(mail_html.scan('<h1 style="color: red;">FOR YOU</h1>').count).to eq(1)
expect(mail_html).to match("#{Discourse.base_url}/invites/#{invite.invite_key}")
end
it 'applies customizations if compiled is missing' do
SiteSetting.remove_override!(:email_custom_css_compiled)
expect(mail_html.scan('<h1 style="color: red;">FOR YOU</h1>').count).to eq(1)
expect(mail_html).to match("#{Discourse.base_url}/invites/#{invite.invite_key}")
end
it 'can apply RTL attrs' do
SiteSetting.default_locale = 'he'
body_attrs = mail_html.match(/<body ([^>])+/)
expect(body_attrs[0]&.downcase).to match(/text-align:\s*right/)
expect(body_attrs[0]&.downcase).to include('dir="rtl"')
context "ERB evaluation" do
it "does not evaluate ERB outside of the email itself" do
SiteSetting.email_custom_template = "<div>%{email_content}</div><%= (111 * 333) %>"
html = Email::Renderer.new(UserNotifications.signup(Fabricate(:user))).html
expect(html).not_to match("36963")
end
end
context 'user_replied' do
let(:response_by_user) { Fabricate(:user, name: "John Doe") }
let(:category) { Fabricate(:category, name: 'India') }
let(:topic) { Fabricate(:topic, category: category, title: "Super cool topic") }
let(:post) { Fabricate(:post, topic: topic, raw: 'This is My super duper cool topic') }
let(:response) { Fabricate(:basic_reply, topic: post.topic, user: response_by_user) }
let(:user) { Fabricate(:user) }
let(:notification) { Fabricate(:replied_notification, user: user, post: response) }
let(:mail) do
UserNotifications.user_replied(
user,
post: response,
notification_type: notification.notification_type,
notification_data_hash: notification.data_hash
)
context "with a custom template" do
before do
SiteSetting.email_custom_template = "<body><h1>FOR YOU</h1><div>%{email_content}</div></body>"
SiteSetting.email_custom_css = 'h1 { color: red; } div.body { color: #FAB; }'
SiteSetting.email_custom_css_compiled = SiteSetting.email_custom_css
end
subject(:mail_html) { Email::Renderer.new(mail).html }
it "customizations are applied to html part of emails" do
expect(mail_html.scan('<h1 style="color: red;">FOR YOU</h1>').count).to eq(1)
matches = mail_html.match(/<div style="([^"]+)">#{post.raw}/)
expect(matches[1]).to include('color: #FAB;') # custom
expect(matches[1]).to include('padding-top:5px;') # div.body
after do
SiteSetting.remove_override!(:email_custom_template)
SiteSetting.remove_override!(:email_custom_css)
end
# TODO: translation override
end
context 'invite' do
fab!(:invite) { Fabricate(:invite) }
let(:invite_mail) { InviteMailer.send_invite(invite) }
context 'signup' do
let(:signup_mail) { UserNotifications.signup(Fabricate(:user)) }
subject(:mail_html) { Email::Renderer.new(signup_mail).html }
subject(:mail_html) { Email::Renderer.new(invite_mail).html }
it "customizations are applied to html part of emails" do
expect(mail_html.scan('<h1 style="color: red;">FOR YOU</h1>').count).to eq(1)
expect(mail_html).to include('activate-account')
it 'applies customizations' do
expect(mail_html.scan('<h1 style="color: red;">FOR YOU</h1>').count).to eq(1)
expect(mail_html).to match("#{Discourse.base_url}/invites/#{invite.invite_key}")
end
it 'applies customizations if compiled is missing' do
SiteSetting.remove_override!(:email_custom_css_compiled)
expect(mail_html.scan('<h1 style="color: red;">FOR YOU</h1>').count).to eq(1)
expect(mail_html).to match("#{Discourse.base_url}/invites/#{invite.invite_key}")
end
it 'can apply RTL attrs' do
SiteSetting.default_locale = 'he'
body_attrs = mail_html.match(/<body ([^>])+/)
expect(body_attrs[0]&.downcase).to match(/text-align:\s*right/)
expect(body_attrs[0]&.downcase).to include('dir="rtl"')
end
end
context 'translation override' do
before do
TranslationOverride.upsert!(
'en',
'user_notifications.signup.text_body_template',
"CLICK THAT LINK: %{base_url}/u/activate-account/%{email_token}"
context 'user_replied' do
let(:response_by_user) { Fabricate(:user, name: "John Doe") }
let(:category) { Fabricate(:category, name: 'India') }
let(:topic) { Fabricate(:topic, category: category, title: "Super cool topic") }
let(:post) { Fabricate(:post, topic: topic, raw: 'This is My super duper cool topic') }
let(:response) { Fabricate(:basic_reply, topic: post.topic, user: response_by_user) }
let(:user) { Fabricate(:user) }
let(:notification) { Fabricate(:replied_notification, user: user, post: response) }
let(:mail) do
UserNotifications.user_replied(
user,
post: response,
notification_type: notification.notification_type,
notification_data_hash: notification.data_hash
)
end
after do
TranslationOverride.revert!('en', ['user_notifications.signup.text_body_template'])
subject(:mail_html) { Email::Renderer.new(mail).html }
it "customizations are applied to html part of emails" do
expect(mail_html.scan('<h1 style="color: red;">FOR YOU</h1>').count).to eq(1)
matches = mail_html.match(/<div style="([^"]+)">#{post.raw}/)
expect(matches[1]).to include('color: #FAB;') # custom
expect(matches[1]).to include('padding-top:5px;') # div.body
end
it "applies customizations when translation override exists" do
expect(mail_html.scan('<h1 style="color: red;">FOR YOU</h1>').count).to eq(1)
expect(mail_html.scan('CLICK THAT LINK').count).to eq(1)
end
# TODO: translation override
end
context 'with some bad css' do
before do
SiteSetting.email_custom_css = '@import "nope.css"; h1 {{{ size: really big; '
SiteSetting.email_custom_css_compiled = SiteSetting.email_custom_css
end
context 'signup' do
let(:signup_mail) { UserNotifications.signup(Fabricate(:user)) }
subject(:mail_html) { Email::Renderer.new(signup_mail).html }
it "can render the html" do
expect(mail_html.scan(/<h1\s*(?:style=""){0,1}>FOR YOU<\/h1>/).count).to eq(1)
it "customizations are applied to html part of emails" do
expect(mail_html.scan('<h1 style="color: red;">FOR YOU</h1>').count).to eq(1)
expect(mail_html).to include('activate-account')
end
end
end
context 'digest' do
fab!(:popular_topic) { Fabricate(:topic, user: Fabricate(:coding_horror), created_at: 1.hour.ago) }
let(:summary_email) { UserNotifications.digest(Fabricate(:user)) }
subject(:mail_html) { Email::Renderer.new(summary_email).html }
context 'translation override' do
before do
TranslationOverride.upsert!(
'en',
'user_notifications.signup.text_body_template',
"CLICK THAT LINK: %{base_url}/u/activate-account/%{email_token}"
)
end
it "customizations are applied to html part of emails" do
expect(mail_html.scan('<h1 style="color: red;">FOR YOU</h1>').count).to eq(1)
expect(mail_html).to include(popular_topic.title)
after do
TranslationOverride.revert!('en', ['user_notifications.signup.text_body_template'])
end
it "applies customizations when translation override exists" do
expect(mail_html.scan('<h1 style="color: red;">FOR YOU</h1>').count).to eq(1)
expect(mail_html.scan('CLICK THAT LINK').count).to eq(1)
end
end
context 'with some bad css' do
before do
SiteSetting.email_custom_css = '@import "nope.css"; h1 {{{ size: really big; '
SiteSetting.email_custom_css_compiled = SiteSetting.email_custom_css
end
it "can render the html" do
expect(mail_html.scan(/<h1\s*(?:style=""){0,1}>FOR YOU<\/h1>/).count).to eq(1)
expect(mail_html).to include('activate-account')
end
end
end
it "doesn't apply customizations if apply_custom_styles_to_digest is disabled" do
SiteSetting.apply_custom_styles_to_digest = false
expect(mail_html).to_not include('<h1 style="color: red;">FOR YOU</h1>')
expect(mail_html).to_not include('FOR YOU')
expect(mail_html).to include(popular_topic.title)
context 'digest' do
fab!(:popular_topic) { Fabricate(:topic, user: Fabricate(:coding_horror), created_at: 1.hour.ago) }
let(:summary_email) { UserNotifications.digest(Fabricate(:user)) }
subject(:mail_html) { Email::Renderer.new(summary_email).html }
it "customizations are applied to html part of emails" do
expect(mail_html.scan('<h1 style="color: red;">FOR YOU</h1>').count).to eq(1)
expect(mail_html).to include(popular_topic.title)
end
it "doesn't apply customizations if apply_custom_styles_to_digest is disabled" do
SiteSetting.apply_custom_styles_to_digest = false
expect(mail_html).to_not include('<h1 style="color: red;">FOR YOU</h1>')
expect(mail_html).to_not include('FOR YOU')
expect(mail_html).to include(popular_topic.title)
end
end
end
end