carpathianflorist
/
MarseyWorld
forked from MarseyWorld/MarseyWorld
1
0
Fork 0
Code Pull Requests Activity

fsd

master
Aevann1 2022-04-18 20:25:14 +02:00
parent 521eb16db7
commit 0e74b54424
8 changed files with 41 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
files/helpers/const.py
View File

@ -805,7 +805,7 @@ approved_embed_hosts = [
hosts = "|".join(approved_embed_hosts).replace('.','\.')
image_check_regex = re.compile(f'!\[\]\(((?!(https:\/\/([a-z0-9-]+\.)*({hosts})\/|\/images\/)).*?)\)', flags=re.A)
image_check_regex = re.compile(f'!\[\]\(((?!(https:\/\/([a-z0-9-]+\.)*({hosts})\/|\/)).*?)\)', flags=re.A)
embed_fullmatch_regex = re.compile(f'https:\/\/([a-z0-9-]+\.)*({hosts})\/[\w:~,()\-.#&\/=?@%;+]*', flags=re.A)

34
files/helpers/filters.py
View File

@ -1,34 +0,0 @@
from bs4 import BeautifulSoup
from flask import *
from urllib.parse import urlparse
from files.classes import BannedDomain
def filter_comment_html(html_text):
soup = BeautifulSoup(html_text, 'lxml')
links = soup.find_all("a")
domain_list = set()
for link in links:
href = link.get("href")
if not href: continue
url = urlparse(href)
domain = url.netloc
path = url.path
domain_list.add(domain+path)
parts = domain.split(".")
for i in range(len(parts)):
new_domain = parts[i]
for j in range(i + 1, len(parts)):
new_domain += "." + parts[j]
domain_list.add(new_domain)
bans = [x for x in g.db.query(BannedDomain).filter(BannedDomain.domain.in_(list(domain_list))).all()]
if bans: return bans
else: return []

28
files/helpers/sanitize.py
View File

@ -257,6 +257,34 @@ def sanitize(sanitized, alert=False, comment=False, edit=False):
soup = BeautifulSoup(sanitized, 'lxml')
links = soup.find_all("a")
domain_list = set()
for link in links:
href = link.get("href")
if not href: continue
url = urlparse(href)
domain = url.netloc
path = url.path
domain_list.add(domain+path)
parts = domain.split(".")
for i in range(len(parts)):
new_domain = parts[i]
for j in range(i + 1, len(parts)):
new_domain += "." + parts[j]
domain_list.add(new_domain)
bans = g.db.query(BannedDomain.domain).filter(BannedDomain.domain.in_(list(domain_list))).all()
if bans: abort(403, description=f"Remove the banned domains {bans} and try again!")
signal.alarm(0)
return sanitized

18
files/routes/comments.py
View File

@ -1,5 +1,4 @@
from files.helpers.wrappers import *
from files.helpers.filters import *
from files.helpers.alerts import *
from files.helpers.images import *
from files.helpers.const import *
@ -323,13 +322,6 @@ def api_comment(v):
body_html = sanitize(body, comment=True)
bans = filter_comment_html(body_html)
if bans:
ban = bans[0]
reason = f"Remove the {ban.domain} link from your comment and try again."
if ban.reason: reason += f" {ban.reason}"
return {"error": reason}, 401
if parent_post.id not in ADMIGGERS and '!slots' not in body.lower() and '!blackjack' not in body.lower() and '!wordle' not in body.lower() and AGENDAPOSTER_PHRASE not in body.lower():
existing = g.db.query(Comment.id).filter(Comment.author_id == v.id,
@ -737,16 +729,6 @@ def edit_comment(cid, v):
body_html = sanitize(body, edit=True)
bans = filter_comment_html(body_html)
if bans:
ban = bans[0]
reason = f"Remove the {ban.domain} link from your comment and try again."
if ban.reason: reason += f" {ban.reason}"
return {'error': reason}, 400
if '!slots' not in body.lower() and '!blackjack' not in body.lower() and '!wordle' not in body.lower() and AGENDAPOSTER_PHRASE not in body.lower():
now = int(time.time())
cutoff = now - 60 * 60 * 24

12
files/routes/errors.py
View File

@ -23,8 +23,16 @@ def error_401(e):
@app.errorhandler(403)
def error_403(e):
if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": "403 Forbidden"}, 403
else: return render_template('errors/403.html', err=True), 403
description = e.description
if description == "You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.": description = ''
if request.headers.get("Authorization") or request.headers.get("xhr"):
if not description: description = "403 Forbidden"
return {"error": description}, 403
else:
if not description: description = "YOU AREN'T WELCOME HERE GO AWAY"
return render_template('errors/403.html', description=description, err=True), 403
@app.errorhandler(404)

16
files/routes/posts.py
View File

@ -3,7 +3,6 @@ import gevent
import requests
from files.helpers.wrappers import *
from files.helpers.sanitize import *
from files.helpers.filters import *
from files.helpers.alerts import *
from files.helpers.discord import send_discord_message, send_cringetopia_message
from files.helpers.const import *
@ -510,14 +509,6 @@ def edit_post(pid, v):
if v.id == p.author_id and v.marseyawarded and marseyaward_body_regex.search(body_html):
return {"error":"You can only type marseys!"}, 403
bans = filter_comment_html(body_html)
if bans:
ban = bans[0]
reason = f"Remove the {ban.domain} link from your post and try again."
if ban.reason:
reason += f" {ban.reason}"
return {"error": reason}, 403
p.body = body
@ -1110,12 +1101,7 @@ def submit_post(v, sub=None):
if len(body_html) > 40000: return error("Submission body_html too long! (max 40k characters)")
bans = filter_comment_html(body_html)
if bans:
ban = bans[0]
reason = f"Remove the {ban.domain} link from your post and try again."
if ban.reason: reason += f" {ban.reason}"
return error(reason)
if request.host == 'rdrama.net' and v.admin_level < 2: club = False
else: club = bool(request.values.get("club",""))

34
files/routes/settings.py
View File

@ -1,7 +1,6 @@
from __future__ import unicode_literals
from files.helpers.alerts import *
from files.helpers.sanitize import *
from files.helpers.filters import filter_comment_html
from files.helpers.discord import remove_user, set_nick
from files.helpers.const import *
from files.mail import *
@ -141,16 +140,6 @@ def settings_profile_post(v):
sig = image_regex.sub(r'![](\1)', sig)
sig_html = sanitize(sig)
bans = filter_comment_html(sig_html)
if bans:
ban = bans[0]
reason = f"Remove the {ban.domain} link from your sig and try again."
if ban.reason:
reason += f" {ban.reason}"
return {"error": reason}, 401
if len(sig_html) > 1000:
return render_template("settings_profile.html",
@ -174,13 +163,6 @@ def settings_profile_post(v):
friends = image_regex.sub(r'![](\1)', friends)
friends_html = sanitize(friends)
bans = filter_comment_html(friends_html)
if bans:
ban = bans[0]
reason = f"Remove the {ban.domain} link from your friends list and try again."
if ban.reason: reason += f" {ban.reason}"
return {"error": reason}, 401
if len(friends_html) > 2000:
return render_template("settings_profile.html",
@ -210,13 +192,6 @@ def settings_profile_post(v):
enemies = image_regex.sub(r'![](\1)', enemies)
enemies_html = sanitize(enemies)
bans = filter_comment_html(enemies_html)
if bans:
ban = bans[0]
reason = f"Remove the {ban.domain} link from your enemies list and try again."
if ban.reason: reason += f" {ban.reason}"
return {"error": reason}, 401
if len(enemies_html) > 2000:
return render_template("settings_profile.html",
@ -266,21 +241,12 @@ def settings_profile_post(v):
return render_template("settings_profile.html", v=v, error="Image/Video files only."), 400
bio_html = sanitize(bio)
bans = filter_comment_html(bio_html)
if len(bio_html) > 10000:
return render_template("settings_profile.html",
v=v,
error="Your bio is too long")
if bans:
ban = bans[0]
reason = f"Remove the {ban.domain} link from your bio and try again."
if ban.reason:
reason += f" {ban.reason}"
return {"error": reason}, 401
if len(bio_html) > 10000: abort(400)
v.bio = bio[:1500]

2
files/templates/errors/403.html
View File

@ -13,7 +13,7 @@
<img alt=":#marseytroll:" loading="lazy" src="/e/marseytroll.webp">
<pre></pre>
<h1 class="h5">403 Forbidden</h1>
<p class="text-muted mb-5">YOU AREN'T WELCOME HERE GO AWAY</p>
<p class="text-muted mb-5">{{description}}</p>
<div><a href="/" class="btn btn-primary">Go to frontpage</a></div>
</div>
</div>