]> git.ipfire.org Git - thirdparty/paperless-ngx.git/commitdiff
Chore: reject absurd max age values (#10243)
authorshamoon <4887959+shamoon@users.noreply.github.com>
Sun, 22 Jun 2025 14:39:36 +0000 (07:39 -0700)
committerGitHub <noreply@github.com>
Sun, 22 Jun 2025 14:39:36 +0000 (07:39 -0700)
src/paperless_mail/serialisers.py
src/paperless_mail/tests/test_api.py

index 402a53c3b31cae7fd59da080d4e0ca556e2412b0..fa025fcbe3a7bc48adbe6d9d743a88e0e89acf6a 100644 (file)
@@ -125,3 +125,8 @@ class MailRuleSerializer(OwnedObjectSerializer):
             raise serializers.ValidationError("An action parameter is required.")
 
         return attrs
+
+    def validate_maximum_age(self, value):
+        if value > 36500:  # ~100 years
+            raise serializers.ValidationError("Maximum mail age is unreasonably large.")
+        return value
index 985ed006b08c8672cb3426eb2fd3b397b74eaeae..3ba06a746ace1d56dc8d130c838e232b026eab4e 100644 (file)
@@ -680,3 +680,44 @@ class TestAPIMailRules(DirectoriesMixin, APITestCase):
         self.assertEqual(response.data["results"][0]["name"], rule1.name)
         self.assertEqual(response.data["results"][1]["name"], rule2.name)
         self.assertEqual(response.data["results"][2]["name"], rule4.name)
+
+    def test_mailrule_maxage_validation(self):
+        """
+        GIVEN:
+            - An existing mail account
+        WHEN:
+            - The user submits a mail rule with an excessively large maximum_age
+        THEN:
+            - The API should reject the request
+        """
+        account = MailAccount.objects.create(
+            name="Email1",
+            username="username1",
+            password="password1",
+            imap_server="server.example.com",
+            imap_port=443,
+            imap_security=MailAccount.ImapSecurity.SSL,
+            character_set="UTF-8",
+        )
+
+        rule_data = {
+            "name": "Rule1",
+            "account": account.pk,
+            "folder": "INBOX",
+            "filter_from": "from@example.com",
+            "filter_to": "aperson@aplace.com",
+            "filter_subject": "subject",
+            "filter_body": "body",
+            "filter_attachment_filename_include": "file.pdf",
+            "maximum_age": 9000000,
+            "action": MailRule.MailAction.MARK_READ,
+            "assign_title_from": MailRule.TitleSource.FROM_SUBJECT,
+            "assign_correspondent_from": MailRule.CorrespondentSource.FROM_NOTHING,
+            "order": 0,
+            "attachment_type": MailRule.AttachmentProcessing.ATTACHMENTS_ONLY,
+        }
+
+        response = self.client.post(self.ENDPOINT, data=rule_data, format="json")
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("maximum_age", response.data)