Fix empty authorized address (#1423)

* not allow empty authorized address * check authorized address before adding * use github for flake8 * fix test
2022-11-15 16:04:31 +01:00 · 2022-11-15 16:04:31 +01:00 · 989358af34
parent 390b96b991
commit 989358af34
4 changed files with 23 additions and 14 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -11,7 +11,7 @@ repos:
    rev: 22.3.0
    hooks:
      - id: black
-  - repo: https://gitlab.com/pycqa/flake8
+  - repo: https://github.com/pycqa/flake8
    rev: 3.9.2
    hooks:
      - id: flake8
--- a/app/dashboard/views/mailbox_detail.py
+++ b/app/dashboard/views/mailbox_detail.py
@ -1,5 +1,6 @@
 from smtplib import SMTPRecipientsRefused

+from email_validator import validate_email, EmailNotValidError
 from flask import render_template, request, redirect, url_for, flash
 from flask_login import login_required, current_user
 from flask_wtf import FlaskForm
@ -98,16 +99,23 @@ def mailbox_detail_route(mailbox_id):
            )
        elif request.form.get("form-name") == "add-authorized-address":
            address = sanitize_email(request.form.get("email"))
-            if AuthorizedAddress.get_by(mailbox_id=mailbox.id, email=address):
-                flash(f"{address} already added", "error")
+            try:
+                validate_email(
+                    address, check_deliverability=False, allow_smtputf8=False
+                ).domain
+            except EmailNotValidError:
+                flash(f"invalid {address}", "error")
            else:
-                AuthorizedAddress.create(
-                    user_id=current_user.id,
-                    mailbox_id=mailbox.id,
-                    email=address,
-                    commit=True,
-                )
-                flash(f"{address} added as authorized address", "success")
+                if AuthorizedAddress.get_by(mailbox_id=mailbox.id, email=address):
+                    flash(f"{address} already added", "error")
+                else:
+                    AuthorizedAddress.create(
+                        user_id=current_user.id,
+                        mailbox_id=mailbox.id,
+                        email=address,
+                        commit=True,
+                    )
+                    flash(f"{address} added as authorized address", "success")

            return redirect(
                url_for("dashboard.mailbox_detail_route", mailbox_id=mailbox_id)
--- a/templates/dashboard/mailbox_detail.html
+++ b/templates/dashboard/mailbox_detail.html
@ -228,7 +228,7 @@
            <form method="post" action="#authorized-address" class="form-inline">
              {{ csrf_form.csrf_token }}
              <input type="hidden" name="form-name" value="add-authorized-address">
-              <input type="email" name="email" size="50" class="form-control">
+              <input type="email" name="email" size="50" class="form-control" required>
              <input type="submit" class="btn btn-primary" value="Add">
            </form>
          </div>
--- a/tests/test_email_utils.py
+++ b/tests/test_email_utils.py
@ -83,10 +83,11 @@ def test_can_be_used_as_personal_email(flask_client):
    assert not email_can_be_used_as_mailbox(f"hey@{domain}")

    # disposable domain
-    assert not email_can_be_used_as_mailbox("abcd@10minutesmail.fr")
-    assert not email_can_be_used_as_mailbox("abcd@temp-mail.com")
+    disposable_domain = random_domain()
+    InvalidMailboxDomain.create(domain=disposable_domain, commit=True)
+    assert not email_can_be_used_as_mailbox(f"abcd@{disposable_domain}")
    # subdomain will not work
-    assert not email_can_be_used_as_mailbox("abcd@sub.temp-mail.com")
+    assert not email_can_be_used_as_mailbox("abcd@sub.{disposable_domain}")
    # valid domains should not be affected
    assert email_can_be_used_as_mailbox("abcd@protonmail.com")
    assert email_can_be_used_as_mailbox("abcd@gmail.com")