Cutlery/paperless-ngx
1
0
Fork 0
mirror of https://github.com/paperless-ngx/paperless-ngx.git synced 2025-07-08 02:34:08 -04:00
Code Issues Packages Projects Releases Wiki Activity

Chore: reject absurd max age values (#10243)

Browse Source
This commit is contained in:
shamoon 2025-06-22 07:39:36 -07:00 committed by GitHub
parent 59afbe09b1
commit dbf3721ec2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/paperless_mail/serialisers.py
View File

@ -125,3 +125,8 @@ class MailRuleSerializer(OwnedObjectSerializer):
raise serializers.ValidationError("An action parameter is required.") raise serializers.ValidationError("An action parameter is required.")
return attrs return attrs
def validate_maximum_age(self, value):
if value > 36500: # ~100 years
raise serializers.ValidationError("Maximum mail age is unreasonably large.")
return value

41
src/paperless_mail/tests/test_api.py
View File

@ -680,3 +680,44 @@ class TestAPIMailRules(DirectoriesMixin, APITestCase):
self.assertEqual(response.data["results"][0]["name"], rule1.name) self.assertEqual(response.data["results"][0]["name"], rule1.name)
self.assertEqual(response.data["results"][1]["name"], rule2.name) self.assertEqual(response.data["results"][1]["name"], rule2.name)
self.assertEqual(response.data["results"][2]["name"], rule4.name) self.assertEqual(response.data["results"][2]["name"], rule4.name)
def test_mailrule_maxage_validation(self):
"""
GIVEN:
- An existing mail account
WHEN:
- The user submits a mail rule with an excessively large maximum_age
THEN:
- The API should reject the request
"""
account = MailAccount.objects.create(
name="Email1",
username="username1",
password="password1",
imap_server="server.example.com",
imap_port=443,
imap_security=MailAccount.ImapSecurity.SSL,
character_set="UTF-8",
)
rule_data = {
"name": "Rule1",
"account": account.pk,
"folder": "INBOX",
"filter_from": "from@example.com",
"filter_to": "aperson@aplace.com",
"filter_subject": "subject",
"filter_body": "body",
"filter_attachment_filename_include": "file.pdf",
"maximum_age": 9000000,
"action": MailRule.MailAction.MARK_READ,
"assign_title_from": MailRule.TitleSource.FROM_SUBJECT,
"assign_correspondent_from": MailRule.CorrespondentSource.FROM_NOTHING,
"order": 0,
"attachment_type": MailRule.AttachmentProcessing.ATTACHMENTS_ONLY,
}
response = self.client.post(self.ENDPOINT, data=rule_data, format="json")
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertIn("maximum_age", response.data)