From d173ed5381bbd0ea7e2136a2e84e480e1de9cd53 Mon Sep 17 00:00:00 2001 From: Daniel Grams Date: Thu, 13 Apr 2023 23:42:16 +0200 Subject: [PATCH] Code scanning alerts #430 --- project/services/importer/event_importer.py | 25 +++--- project/services/importer/ld_json_importer.py | 90 ++++++++++--------- project/static/site.js | 30 +++---- project/views/admin.py | 12 ++- project/views/event.py | 2 +- project/views/image.py | 7 +- 6 files changed, 92 insertions(+), 74 deletions(-) diff --git a/project/services/importer/event_importer.py b/project/services/importer/event_importer.py index d304c4f..c704db2 100644 --- a/project/services/importer/event_importer.py +++ b/project/services/importer/event_importer.py @@ -67,20 +67,19 @@ class EventImporter: def _sanitize_url(self, absolute_url: str) -> str: result = absolute_url - if "reservix.de" in absolute_url or "facebook.com" in absolute_url: - try: - p = urlparse(absolute_url) + try: + p = urlparse(absolute_url) - if p.hostname.endswith("reservix.de"): - result = p._replace( - netloc=p.netloc.replace(p.hostname, "www.reservix.de") - ).geturl() + if p.hostname.endswith("reservix.de"): + result = p._replace( + netloc=p.netloc.replace(p.hostname, "www.reservix.de") + ).geturl() - if p.hostname == "www.facebook.com": - result = p._replace( - netloc=p.netloc.replace("www.facebook.com", "m.facebook.com") - ).geturl() - except Exception: # pragma: no cover - pass + if p.hostname == "www.facebook.com": + result = p._replace( + netloc=p.netloc.replace("www.facebook.com", "m.facebook.com") + ).geturl() + except Exception: # pragma: no cover + pass return result diff --git a/project/services/importer/ld_json_importer.py b/project/services/importer/ld_json_importer.py index 6437f67..2ca4f69 100644 --- a/project/services/importer/ld_json_importer.py +++ b/project/services/importer/ld_json_importer.py @@ -1,4 +1,5 @@ import json +from urllib.parse import urlparse import validators from bs4 import BeautifulSoup @@ -178,61 +179,66 @@ class LdJsonImporter: return organizer def _load_organizer_from_html(self) -> EventOrganizer: - if "reservix.de" in self.origin_url: - div = self.soup.find("div", attrs={"class": "c-organizer-info"}) + try: + p = urlparse(self.origin_url) - if div: - prefix = "Veranstalter:" - text = div.text.strip() + if p.hostname.endswith("reservix.de"): + div = self.soup.find("div", attrs={"class": "c-organizer-info"}) - if text.startswith(prefix): - organizer_text = text[len(prefix) :].strip() - organizer = self._load_organizer_from_text(organizer_text) + if div: + prefix = "Veranstalter:" + text = div.text.strip() - if organizer: - return organizer - - if "eventim.de" in self.origin_url: - div = self.soup.find( - "div", attrs={"data-qa": "additional-info-promoter-content"} - ) - - if div: - header_div = div.find( - lambda tag: tag.name == "div" and "Veranstalter:" in tag.text - ) - - if header_div: - organizer_paragraph = header_div.findNext("p") - - if organizer_paragraph: - organizer_text = organizer_paragraph.text.strip() + if text.startswith(prefix): + organizer_text = text[len(prefix) :].strip() organizer = self._load_organizer_from_text(organizer_text) if organizer: return organizer - if "regiondo.de" in self.origin_url: - span = self.soup.find( - "span", attrs={"itemtype": "http://schema.org/Organization"} - ) + if p.hostname.endswith("eventim.de"): + div = self.soup.find( + "div", attrs={"data-qa": "additional-info-promoter-content"} + ) - if span: - organizer_text = span.text.strip() - organizer = self._load_organizer_from_text(organizer_text) + if div: + header_div = div.find( + lambda tag: tag.name == "div" and "Veranstalter:" in tag.text + ) - if organizer: - return organizer + if header_div: + organizer_paragraph = header_div.findNext("p") - if "facebook.com" in self.origin_url: - anchor = self.soup.find("a", attrs={"class": "cc"}) + if organizer_paragraph: + organizer_text = organizer_paragraph.text.strip() + organizer = self._load_organizer_from_text(organizer_text) - if anchor: - organizer_text = anchor.text.strip() - organizer = self._load_organizer_from_text(organizer_text) + if organizer: + return organizer - if organizer: - return organizer + if p.hostname.endswith("regiondo.de"): + span = self.soup.find( + "span", attrs={"itemtype": "http://schema.org/Organization"} + ) + + if span: + organizer_text = span.text.strip() + organizer = self._load_organizer_from_text(organizer_text) + + if organizer: + return organizer + + if p.hostname.endswith("facebook.com"): + anchor = self.soup.find("a", attrs={"class": "cc"}) + + if anchor: + organizer_text = anchor.text.strip() + organizer = self._load_organizer_from_text(organizer_text) + + if organizer: + return organizer + except Exception: # pragma: no cover + pass return None diff --git a/project/static/site.js b/project/static/site.js index 53542dc..d0fabe9 100644 --- a/project/static/site.js +++ b/project/static/site.js @@ -12,8 +12,8 @@ function get_moment_with_time_from_fields(date_field, time_field) { } function get_moment_with_time(field_id) { - var date_field = $.find(field_id); - var time_field = $.find(field_id + "-time"); + var date_field = $(this).find(field_id); + var time_field = $(this).find(field_id + "-time"); return get_moment_with_time_from_fields(date_field, time_field) } @@ -24,28 +24,28 @@ function set_date_bounds(picker) { if (data_range_to_attr) { var hidden_field_id = picker.attr("id").replace("-user", ""); var from_moment = get_moment_with_time("#" + hidden_field_id); - $.find(data_range_to_attr + "-user").datepicker( + $(this).find(data_range_to_attr + "-user").datepicker( "option", "minDate", from_moment.toDate() ); - var end_val = $.find(data_range_to_attr).val(); + var end_val = $(this).find(data_range_to_attr).val(); if (end_val != "") { var end_moment = get_moment_with_time(data_range_to_attr); - if (data_allday_attr && $.find(data_allday_attr).is(':checked')) { + if (data_allday_attr && $(this).find(data_allday_attr).is(':checked')) { end_moment = end_moment.endOf('day'); - set_picker_date($.find(data_range_to_attr), end_moment.toDate()); + set_picker_date($(this).find(data_range_to_attr), end_moment.toDate()); } else if (end_moment < from_moment) { - set_picker_date($.find(data_range_to_attr), from_moment.toDate()); + set_picker_date($(this).find(data_range_to_attr), from_moment.toDate()); } } var data_range_max_attr = picker.attr("data-range-max-days"); if (data_range_max_attr) { from_moment.add(data_range_max_attr, "days"); - $.find(data_range_to_attr + "-user").datepicker( + $(this).find(data_range_to_attr + "-user").datepicker( "option", "maxDate", from_moment.toDate() @@ -58,11 +58,11 @@ function set_date_bounds(picker) { var hidden_field_id = picker.attr("id").replace("-user", ""); var to_moment = get_moment_with_time("#" + hidden_field_id); - var start_val = $.find(data_range_from_attr).val(); + var start_val = $(this).find(data_range_from_attr).val(); if (start_val != "") { var start_moment = get_moment_with_time(data_range_from_attr); if (start_moment > to_moment) { - set_picker_date($.find(data_range_from_attr), to_moment.toDate()); + set_picker_date($(this).find(data_range_from_attr), to_moment.toDate()); } } } @@ -98,7 +98,7 @@ function onAlldayChecked(checkbox, hidden_field_id) { if (data_range_to_attr) { var end_moment = get_moment_with_time(data_range_to_attr); end_moment = end_moment.startOf('day').set({"hour": next_hour.hour(), "minute": next_hour.minute()}); - set_picker_date($.find(data_range_to_attr), end_moment.add(3, 'hours').toDate()); + set_picker_date($(this).find(data_range_to_attr), end_moment.add(3, 'hours').toDate()); } } } @@ -142,18 +142,18 @@ function start_datepicker(input) { var data_range_to_attr = picker.attr("data-range-to"); if (data_range_to_attr) { - $.find(data_range_to_attr).attr("data-range-from", "#" + hidden_field_id); + $(this).find(data_range_to_attr).attr("data-range-from", "#" + hidden_field_id); } var data_allday_attr = picker.attr("data-allday"); if (data_allday_attr) { - var checked = $.find(data_allday_attr).is(':checked') + var checked = $(this).find(data_allday_attr).is(':checked') $("#" + hidden_field_id + "-time").toggle(!checked); if (data_range_to_attr) { - $.find(data_range_to_attr + "-time").toggle(!checked); + $(this).find(data_range_to_attr + "-time").toggle(!checked); } - $.find(data_allday_attr).on('change', function() { + $(this).find(data_allday_attr).on('change', function() { $("#" + hidden_field_id + "-time").toggle(!this.checked); if (data_range_to_attr) { $(data_range_to_attr + "-time").toggle(!this.checked); diff --git a/project/views/admin.py b/project/views/admin.py index 0b62cd8..9bbe181 100644 --- a/project/views/admin.py +++ b/project/views/admin.py @@ -134,7 +134,11 @@ def admin_email(): "value": result.get() if ready else result.result, } except Exception as e: - return {"ready": True, "successful": False, "error": str(e)} + return { + "ready": True, + "successful": False, + "error": getattr(e, "message", "Unknown error"), + } if form.validate_on_submit(): subject = gettext( @@ -173,7 +177,11 @@ def admin_newsletter(): "successful": result.successful() if ready else None, } except Exception as e: - return {"ready": True, "successful": False, "error": str(e)} + return { + "ready": True, + "successful": False, + "error": getattr(e, "message", "Unknown error"), + } if form.validate_on_submit(): subject = gettext( diff --git a/project/views/event.py b/project/views/event.py index f0efb84..704f947 100644 --- a/project/views/event.py +++ b/project/views/event.py @@ -282,7 +282,7 @@ def event_rrule(): return jsonify(result) except Exception as e: app.logger.exception(request.json) - return str(e), 400 + return getattr(e, "message", "Unknown error"), 400 def get_event_category_choices(): diff --git a/project/views/image.py b/project/views/image.py index 2a3d247..f1ed324 100644 --- a/project/views/image.py +++ b/project/views/image.py @@ -28,7 +28,12 @@ def image(id, hash=None): # Generate file name extension = image.get_file_extension() hash = image.get_hash() - file_path = os.path.join(img_path, f"{id}-{hash}-{width}-{height}.{extension}") + file_path = os.path.normpath( + os.path.join(img_path, f"{id}-{hash}-{width}-{height}.{extension}") + ) + + if not file_path.startswith(img_path): + return None, 404 # Load from disk if exists if os.path.exists(file_path):