models: Validate Project.linkname does not contain forward slash

I started by creating a project that contained a forward slash
(importing patches from https://lists.sr.ht/~sircmpwn/sr.ht-dev/) and
it fails to render the "projects" main page.

The specific error reads:

    NoReverseMatch at /

    Reverse for 'patch-list' with keyword arguments
    '{'project_id': 'foo/bar'}' not found. 1 pattern(s) tried:
    ['project/(?P<project_id>[^/]+)/list/$']

which appears to explicitly disallow forward slashes.

So I think it makes sense to validate that project linkname doesn't
contain forward slahes.

This implementation uses the validate_unicode_slug validator instead of just
rejecting inputs that contain forward slashes.

Signed-off-by: Thomas Bracht Laumann Jespersen <t@laumann.xyz>
Signed-off-by: Stephen Finucane <stephen@that.guru>
Closes: #380

diff --git a/patchwork/migrations/0044_add_project_linkname_validation.py b/patchwork/migrations/0044_add_project_linkname_validation.py
new file mode 100644 (file)
index 0000000..9319c81
--- /dev/null
+++ b/patchwork/migrations/0044_add_project_linkname_validation.py
@@ -0,0 +1,30 @@
+# Generated by Django 3.1.1 on 2020-09-29 01:27
+
+import django.core.validators
+from django.db import migrations, models
+import re
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('patchwork', '0043_merge_patch_submission'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='project',
+            name='linkname',
+            field=models.CharField(
+                max_length=255,
+                unique=True,
+                validators=[
+                    django.core.validators.RegexValidator(
+                        re.compile('^[-\\w]+\\Z'),
+                        'Enter a valid “slug” consisting of Unicode ' +
+                        'letters, numbers, underscores, or hyphens.',
+                        'invalid')
+                ]
+            ),
+        ),
+    ]

diff --git a/patchwork/models.py b/patchwork/models.py
index 77ab924152fc293c7fc6c822dcdbc0c63e15550e..6f90627d5edef4388c64c6de24b9695d3f6a7afb 100644 (file)
--- a/patchwork/models.py
+++ b/patchwork/models.py
@@ -16,6 +16,7 @@ from django.core.exceptions import ValidationError
 from django.db import models
 from django.urls import reverse
 from django.utils.functional import cached_property
+from django.core.validators import validate_unicode_slug
 
 from patchwork.fields import HashField
 from patchwork.hasher import hash_diff
@@ -56,7 +57,8 @@ class Person(models.Model):
 class Project(models.Model):
     # properties
 
-    linkname = models.CharField(max_length=255, unique=True)
+    linkname = models.CharField(max_length=255, unique=True,
+                                validators=[validate_unicode_slug])
     name = models.CharField(max_length=255, unique=True)
     listid = models.CharField(max_length=255)
     listemail = models.CharField(max_length=200)

diff --git a/releasenotes/notes/issue-380-68aaf6ee232209cc.yaml b/releasenotes/notes/issue-380-68aaf6ee232209cc.yaml
new file mode 100644 (file)
index 0000000..db76038
--- /dev/null
+++ b/releasenotes/notes/issue-380-68aaf6ee232209cc.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Previously, it was possible to create a project with a ``linkname``
+    containing invalid URL characters. This would result in broken URLs. We
+    now validate this field and restrict characters to unicode slugs (unicode
+    letters, numbers, underscores and hyphens).