check contact address in POST /aliases/<int:alias_id>/contacts

2020-11-03 11:10:32 +01:00 · 2020-11-03 11:10:32 +01:00 · 751cc05534
parent 72a34e28be
commit 751cc05534
2 changed files with 33 additions and 1 deletions
--- a/app/api/views/alias.py
+++ b/app/api/views/alias.py
@ -16,7 +16,7 @@ from app.api.serializer import (
 )
 from app.config import EMAIL_DOMAIN
 from app.dashboard.views.alias_log import get_alias_log
-from app.email_utils import parseaddr_unicode
+from app.email_utils import parseaddr_unicode, is_valid_email
 from app.extensions import db
 from app.log import LOG
 from app.models import Alias, Contact, Mailbox, AliasMailbox
@ -386,6 +386,9 @@ def create_contact_route(alias_id):

    contact_addr = data.get("contact")

+    if not contact_addr:
+        return jsonify(error="Contact cannot be empty"), 400
+
    # generate a reply_email, make sure it is unique
    # not use while to avoid infinite loop
    reply_email = f"ra+{random_string(25)}@{EMAIL_DOMAIN}"
@ -395,6 +398,8 @@ def create_contact_route(alias_id):
            break

    contact_name, contact_email = parseaddr_unicode(contact_addr)
+    if not is_valid_email(contact_email):
+        return jsonify(error=f"invalid contact email {contact_email}"), 400

    # already been added
    if Contact.get_by(alias_id=alias.id, website_email=contact_email):
--- a/tests/api/test_alias.py
+++ b/tests/api/test_alias.py
@ -3,6 +3,7 @@ from flask import url_for
 from app.config import PAGE_LIMIT
 from app.extensions import db
 from app.models import User, ApiKey, Alias, Contact, EmailLog, Mailbox
+from tests.utils import login


 def test_get_aliases_error_without_pagination(flask_client):
@ -503,6 +504,32 @@ def test_create_contact_route(flask_client):
    assert r.status_code == 409


+def test_create_contact_route_empty_contact_address(flask_client):
+    login(flask_client)
+    alias = Alias.query.first()
+
+    r = flask_client.post(
+        url_for("api.create_contact_route", alias_id=alias.id),
+        json={"contact": ""},
+    )
+
+    assert r.status_code == 400
+    assert r.json["error"] == "Contact cannot be empty"
+
+
+def test_create_contact_route_invalid_contact_email(flask_client):
+    login(flask_client)
+    alias = Alias.query.first()
+
+    r = flask_client.post(
+        url_for("api.create_contact_route", alias_id=alias.id),
+        json={"contact": "with space@gmail.com"},
+    )
+
+    assert r.status_code == 400
+    assert r.json["error"] == "invalid contact email with space@gmail.com"
+
+
 def test_delete_contact(flask_client):
    user = User.create(
        email="a@b.c", password="password", name="Test User", activated=True