Do not track external domains to prevent CWE-601 (#107)

voiio · Sep 18, 2024 · e305a04 · e305a04
1 parent e388f13
commit e305a04
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/emark/message.py b/emark/message.py
@@ -115,6 +115,13 @@ def update_url_params(self, url, **params):
         if not self.uuid:
             return redirect_url
         site_url = self.get_site_url()
+
+        # ignore external links
+        if (
+            redirect_url_parts.netloc
+            and redirect_url_parts.netloc != parse.urlparse(site_url).netloc
+        ):
+            return redirect_url
         tracking_url = reverse("emark:email-click", kwargs={"pk": self.uuid})
         tracking_url = parse.urljoin(site_url, tracking_url)
         tracking_url_parts = parse.urlparse(tracking_url)

diff --git a/tests/test_message.py b/tests/test_message.py
@@ -359,12 +359,11 @@ def test_update_url_params__subdomain(self, settings, email_message):
                 "https://test.example.com/?utm_source=foo",
                 utm_medium="baz",
             )
-            == "http://www.example.com/emark/12341234-1234-1234-1234-123412341234/"
-            "click?url=https%3A%2F%2Ftest.example.com%2F%3Futm_medium%3Dbaz%26utm_source%3Dfoo"
+            == "https://test.example.com/?utm_medium=baz&utm_source=foo"
         )
 
     def test_update_url_params__external_resource(self, email_message):
-        email_message._tracking_uuid = "12341234-1234-1234-1234-123412341234"
+        email_message.uuid = "12341234-1234-1234-1234-123412341234"
         assert (
             email_message.update_url_params(
                 "https://google.com/",