From e1ef255f84d6c380a81b8f5a429be1728eac4339 Mon Sep 17 00:00:00 2001 From: Kyle Drake Date: Fri, 27 Feb 2015 09:44:43 -0800 Subject: [PATCH] prohibit third-party form sites that are almost exclusively used for phishing --- models/site.rb | 33 ++++++++++++------------------- tests/files/phishing.html | 41 +++++++++++++++++++++++++++++++++++++++ tests/site_file_tests.rb | 5 +++++ 3 files changed, 58 insertions(+), 21 deletions(-) create mode 100644 tests/files/phishing.html diff --git a/models/site.rb b/models/site.rb index fda6cace..4aaec773 100644 --- a/models/site.rb +++ b/models/site.rb @@ -68,6 +68,7 @@ class Site < Sequel::Model /PHP\.Hide/ ] + PHISHING_FORM_REGEX = /www.formbuddy.com\/cgi-bin\/form.pl/i SPAM_MATCH_REGEX = ENV['RACK_ENV'] == 'test' ? /pillz/ : /#{$config['spam_smart_filter'].join('|')}/i EMAIL_SANITY_REGEX = /.+@.+\..+/i EDITABLE_FILE_EXT = /html|htm|txt|js|css|md|manifest/i @@ -481,9 +482,20 @@ class Site < Sequel::Model def okay_to_upload?(uploaded_file) return true if [:supporter].include?(plan_type.to_sym) + return false if self.class.possible_phishing?(uploaded_file) self.class.valid_file_type?(uploaded_file) end + def self.possible_phishing?(uploaded_file) + if File.extname(uploaded_file[:filename]).match EDITABLE_FILE_EXT + open(uploaded_file[:tempfile].path, 'r:binary') {|f| + matches = f.grep PHISHING_FORM_REGEX + return true unless matches.empty? + } + end + false + end + def self.valid_file_type?(uploaded_file) mime_type = Magic.guess_file_mime_type uploaded_file[:tempfile].path extname = File.extname uploaded_file[:filename] @@ -540,27 +552,6 @@ class Site < Sequel::Model return false end - if pathname.extname.match EDITABLE_FILE_EXT - open(uploaded.path, 'r:binary') {|f| - matches = f.grep SPAM_MATCH_REGEX - - if !matches.empty? -=begin - EmailWorker.perform_async({ - from: 'web@neocities.org', - reply_to: email, - to: 'spam@neocities.org', - subject: "[Neocities SPAM]: #{username}", - body: %{ - #{username} - https://#{self.host}/#{relative_path} - } - }) -=end - end - } - end - if relative_path == 'index.html' && opts[:new_install] != true begin new_title = Nokogiri::HTML(File.read(uploaded.path)).css('title').first.text diff --git a/tests/files/phishing.html b/tests/files/phishing.html new file mode 100644 index 00000000..f90a266f --- /dev/null +++ b/tests/files/phishing.html @@ -0,0 +1,41 @@ + + +Phishing attack that only works on complete idiots that deserve to get hacked + + + +

DU HAST MICH GIVE THIS RANDOM WEB SITE YOUR LOGIN CREDENTIALS DERRRRP

+ +
+ + + + + + + + + + + + + + +
DU: + +
E-Mail: + +
HAST: + +
MICH: + +
+ + +

+

+ + + + + diff --git a/tests/site_file_tests.rb b/tests/site_file_tests.rb index 33b9b945..625cbc5c 100644 --- a/tests/site_file_tests.rb +++ b/tests/site_file_tests.rb @@ -48,6 +48,11 @@ describe 'site_files' do end describe 'upload' do + it 'fails for suspected phishing' do + upload 'files[]' => Rack::Test::UploadedFile.new('./tests/files/phishing.html', 'text/html') + File.exists?(@site.files_path('phishing.html')).must_equal false + end + it 'works with empty files' do upload 'files[]' => Rack::Test::UploadedFile.new('./tests/files/empty.js', 'text/javascript') File.exists?(@site.files_path('empty.js')).must_equal true