Merge branch 'main' into 4312-return-search-scores-api

freelawproject · Nov 20, 2024 · 7df7082 · 7df7082
2 parents c37e051 + d1e9c92
commit 7df7082
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 3 deletions.
diff --git a/cl/users/forms.py b/cl/users/forms.py
@@ -1,3 +1,5 @@
+import re
+
 from disposable_email_domains import blocklist
 from django import forms
 from django.contrib.auth import authenticate
@@ -188,6 +190,14 @@ def clean_email(self):
             )
         return email
 
+    def clean_first_name(self):
+        first_name = self.cleaned_data.get("first_name")
+        if re.search(r"""[!"#$%&()*+,./:;<=>?@[\]_{|}~]+""", first_name):
+            raise forms.ValidationError(
+                "First name must not contain any special characters."
+            )
+        return first_name
+
 
 class EmailConfirmationForm(forms.Form):
     email = forms.EmailField(

diff --git a/cl/users/tests.py b/cl/users/tests.py
@@ -275,6 +275,50 @@ async def test_signing_in(self) -> None:
         )
         self.assertRedirects(r, "/")
 
+    async def test_registration_rejects_malicious_first_name_input(
+        self,
+    ) -> None:
+        tests = (
+            # Invalid
+            ("evil.com", False),
+            ("http://test", False),
+            ("[email protected]", False),
+            ("/test/", False),
+            # Valid
+            ("My fullname", True),
+            ("Test Test", True),
+            ("Éric Terrien-Pascal", True),
+            ("Tel'c", True),
+        )
+        for first_name, is_valid in tests:
+            with self.subTest(
+                f"Trying to register using {first_name} as first name.",
+                first_name=first_name,
+                is_valid=is_valid,
+            ):
+                r = await self.async_client.post(
+                    reverse("register"),
+                    {
+                        "username": "aamon",
+                        "email": "[email protected]",
+                        "password1": "a",
+                        "password2": "a",
+                        "first_name": first_name,
+                        "last_name": "Marquis of Hell",
+                        "skip_me_if_alive": "",
+                    },
+                )
+                if not is_valid:
+                    self.assertIn(
+                        "First name must not contain any special characters.",
+                        r.content.decode(),
+                    )
+                else:
+                    self.assertNotIn(
+                        "First name must not contain any special characters.",
+                        r.content.decode(),
+                    )
+
     async def test_confirming_an_email_address(self) -> None:
         """Tests whether we can confirm the case where an email is associated
         with a single account.

diff --git a/poetry.lock b/poetry.lock