Auto-submit the unsubscribe confirmation form only if signature is more than 5 minutes old. Idea from https://stackoverflow.com/questions/59281750/strategies-to-prevent-email-scanners-from-activating-unsubscribe-links/59381066#59381066

5 years ago · 0d2c6217d3
--- a/hc/accounts/tests/test_unsubscribe_reports.py
+++ b/hc/accounts/tests/test_unsubscribe_reports.py
@ -1,8 +1,10 @@
 from datetime import timedelta as td
 import time
 from django.core import signing
 from django.utils.timezone import now
 from hc.test import BaseTestCase
 from mock import patch
 class UnsubscribeReportsTestCase(BaseTestCase):
@ -36,3 +38,16 @@ class UnsubscribeReportsTestCase(BaseTestCase):
        r = self.client.get(url)
        self.assertContains(r, "Please press the button below")
        self.assertNotContains(r, "submit()")
    def test_aged_signature_autosubmits(self):
        with patch("django.core.signing.time") as mock_time:
            mock_time.time.return_value = time.time() - 301
            signer = signing.TimestampSigner(salt="reports")
            sig = signer.sign("alice")
        url = "/accounts/unsubscribe_reports/%s/" % sig
        r = self.client.get(url)
        self.assertContains(r, "Please press the button below")
        self.assertContains(r, "submit()")
--- a/hc/accounts/urls.py
+++ b/hc/accounts/urls.py
@ -16,7 +16,7 @@ urlpatterns = [
    path("profile/notifications/", views.notifications, name="hc-notifications"),
    path("close/", views.close, name="hc-close"),
    path(
        "unsubscribe_reports/<str:username>/",
        "unsubscribe_reports/<str:signed_username>/",
        views.unsubscribe_reports,
        name="hc-unsubscribe-reports",
    ),
--- a/hc/accounts/views.py
+++ b/hc/accounts/views.py
@ -433,17 +433,28 @@ def change_email_done(request):
@csrf_exempt
 def unsubscribe_reports(request, username):
 def unsubscribe_reports(request, signed_username):
    # Some email servers open links in emails to check for malicious content.
    # To work around this, for GET requests we serve a confirmation form.
    # If the signature is more than 5 minutes old, we also include JS code to
    # auto-submit the form.
    ctx = {}
    signer = signing.TimestampSigner(salt="reports")
    # First, check the signature without looking at the timestamp:
    try:
        username = signer.unsign(username)
        username = signer.unsign(signed_username)
    except signing.BadSignature:
        return render(request, "bad_link.html")
    # Some email servers open links in emails to check for malicious content.
    # To work around this, we serve a form that auto-submits with JS.
    # Check if timestamp is older than 5 minutes:
    try:
        username = signer.unsign(signed_username, max_age=300)
    except signing.SignatureExpired:
        ctx["autosubmit"] = True
    if request.method != "POST":
        return render(request, "accounts/unsubscribe_submit.html")
        return render(request, "accounts/unsubscribe_submit.html", ctx)
    user = User.objects.get(username=username)
    profile = Profile.objects.for_user(user)
--- a/hc/api/models.py
+++ b/hc/api/models.py
@ -7,6 +7,7 @@ from datetime import datetime, timedelta as td
 from croniter import croniter
 from django.conf import settings
 from django.core.signing import TimestampSigner
 from django.db import models
 from django.urls import reverse
 from django.utils import timezone
@ -372,7 +373,9 @@ class Channel(models.Model):
        emails.verify_email(self.email_value, {"verify_link": verify_link})
    def get_unsub_link(self):
        args = [self.code, self.make_token()]
        signer = TimestampSigner(salt="alerts")
        signed_token = signer.sign(self.make_token())
        args = [self.code, signed_token]
        verify_link = reverse("hc-unsubscribe-alerts", args=args)
        return settings.SITE_ROOT + verify_link
--- a/hc/front/tests/test_unsubscribe_email.py
+++ b/hc/front/tests/test_unsubscribe_email.py
@ -1,5 +1,8 @@
 import time
 from django.core.signing import TimestampSigner
 from hc.api.models import Channel
 from hc.test import BaseTestCase
 from mock import patch
 class UnsubscribeEmailTestCase(BaseTestCase):
@ -9,7 +12,15 @@ class UnsubscribeEmailTestCase(BaseTestCase):
        self.channel.value = "[email protected]"
        self.channel.save()
    def test_it_works(self):
    def test_it_serves_confirmation_form(self):
        token = self.channel.make_token()
        url = "/integrations/%s/unsub/%s/" % (self.channel.code, token)
        r = self.client.get(url)
        self.assertContains(r, "Please press the button below")
        self.assertNotContains(r, "submit()")
    def test_post_unsubscribes(self):
        token = self.channel.make_token()
        url = "/integrations/%s/unsub/%s/" % (self.channel.code, token)
@ -19,6 +30,39 @@ class UnsubscribeEmailTestCase(BaseTestCase):
        q = Channel.objects.filter(code=self.channel.code)
        self.assertEqual(q.count(), 0)
    def test_fresh_signature_does_not_autosubmit(self):
        signer = TimestampSigner(salt="alerts")
        signed_token = signer.sign(self.channel.make_token())
        url = "/integrations/%s/unsub/%s/" % (self.channel.code, signed_token)
        r = self.client.get(url)
        self.assertContains(
            r, "Please press the button below to unsubscribe", status_code=200
        )
        self.assertNotContains(r, "submit()", status_code=200)
    def test_aged_signature_does_autosubmit(self):
        with patch("django.core.signing.time") as mock_time:
            mock_time.time.return_value = time.time() - 301
            signer = TimestampSigner(salt="alerts")
            signed_token = signer.sign(self.channel.make_token())
        url = "/integrations/%s/unsub/%s/" % (self.channel.code, signed_token)
        r = self.client.get(url)
        self.assertContains(
            r, "Please press the button below to unsubscribe", status_code=200
        )
        self.assertContains(r, "submit()", status_code=200)
    def test_it_checks_signature(self):
        signed_token = self.channel.make_token() + ":bad:signature"
        url = "/integrations/%s/unsub/%s/" % (self.channel.code, signed_token)
        r = self.client.get(url)
        self.assertContains(r, "link you just used is incorrect", status_code=200)
    def test_it_checks_token(self):
        url = "/integrations/%s/unsub/faketoken/" % self.channel.code
@ -33,11 +77,4 @@ class UnsubscribeEmailTestCase(BaseTestCase):
        url = "/integrations/%s/unsub/%s/" % (self.channel.code, token)
        r = self.client.get(url)
        self.assertEqual(r.status_code, 400)
    def test_it_serves_confirmation_form(self):
        token = self.channel.make_token()
        url = "/integrations/%s/unsub/%s/" % (self.channel.code, token)
        r = self.client.get(url)
        self.assertContains(r, "Please press the button below")
        self.assertEqual(r.status_code, 404)
--- a/hc/front/urls.py
+++ b/hc/front/urls.py
@ -57,7 +57,7 @@ channel_urls = [
        "<uuid:code>/verify/<slug:token>/", views.verify_email, name="hc-verify-email"
    ),
    path(
        "<uuid:code>/unsub/<slug:token>/",
        "<uuid:code>/unsub/<str:signed_token>/",
        views.unsubscribe_email,
        name="hc-unsubscribe-alerts",
    ),
--- a/hc/front/views.py
+++ b/hc/front/views.py
@ -702,18 +702,35 @@ def verify_email(request, code, token):
@csrf_exempt
 def unsubscribe_email(request, code, token):
    channel = get_object_or_404(Channel, code=code)
 def unsubscribe_email(request, code, signed_token):
    # Some email servers open links in emails to check for malicious content.
    # To work around this, on GET requests we serve a confirmation form.
    # If the signature is at least 5 minutes old, we also include JS code to
    # auto-submit the form.
    ctx = {}
    if ":" in signed_token:
        signer = signing.TimestampSigner(salt="alerts")
        # First, check the signature without looking at the timestamp:
        try:
            token = signer.unsign(signed_token)
        except signing.BadSignature:
            return render(request, "bad_link.html")
        # Check if timestamp is older than 5 minutes:
        try:
            signer.unsign(signed_token, max_age=300)
        except signing.SignatureExpired:
            ctx["autosubmit"] = True
    else:
        token = signed_token
    channel = get_object_or_404(Channel, code=code, kind="email")
    if channel.make_token() != token:
        return render(request, "bad_link.html")
    if channel.kind != "email":
        return HttpResponseBadRequest()
    # Some email servers open links in emails to check for malicious content.
    # To work around this, we serve a form that auto-submits with JS.
    if request.method != "POST":
        return render(request, "accounts/unsubscribe_submit.html")
        return render(request, "accounts/unsubscribe_submit.html", ctx)
    channel.delete()
    return render(request, "front/unsubscribe_success.html")
--- a/templates/accounts/unsubscribe_submit.html
+++ b/templates/accounts/unsubscribe_submit.html
@ -12,4 +12,9 @@
        class="btn btn-lg btn-primary"
        value="Unsubscribe">
 </form>
 {% if autosubmit %}
 	<script>document.getElementById("form").submit();</script>
 {% endif %}
 {% endblock %}