misc: add more checks on email address localpart (#48133)

src/authentic2/validators.py

@@ -16,9 +16,9 @@
 
 from __future__ import unicode_literals
 
+import re
 import smtplib
 
-import django
 from django.utils.deconstruct import deconstructible
 from django.utils.translation import ugettext_lazy as _
 from django.core.exceptions import ValidationError
@@ -80,10 +80,14 @@ class EmailValidator(object):
             except smtplib.SMTPConnectError:
                 continue
 
+    LOCALPART_FORBIDDEN_RE = re.compile(r'^(?:[./|]|.*[@%!`#&?]|.*/\.\./)')
+
     def __call__(self, value):
         DjangoEmailValidator()(value)
 
         localpart, hostname = value.split('@', 1)
+        if self.LOCALPART_FORBIDDEN_RE.match(localpart):
+            raise ValidationError(DjangoEmailValidator.message, code=DjangoEmailValidator.code)
         if app_settings.A2_VALIDATE_EMAIL_DOMAIN:
             mxs = self.query_mxs(hostname)
             if not mxs:

tests/test_validators.py

@@ -48,13 +48,17 @@ def test_digits_password_policy(settings):
     validate_password('12345678')
 
 
-def test_email_validator():
+@pytest.mark.parametrize('email', ['nok', '@nok.com', 'foo@bar\x00',
+                                   'foo&@bar', '|a@nok.com', 'a/../b@nok.com',
+                                   'a%b@nok.com', 'a!b@nok.com', 'a#b@nok.com',
+                                   'a&b@nok.com', 'a?b@nok.com'])
+def test_email_validator_nok(email):
     with pytest.raises(ValidationError):
-        EmailValidator()('nok')
-    with pytest.raises(ValidationError):
-        EmailValidator()('@nok.com')
-    with pytest.raises(ValidationError):
-        EmailValidator()('foo@bar\x00')
+        EmailValidator()(email)
+
+
+@pytest.mark.parametrize('email', ['ok@ok.com', 'a|b@ok.com', 'a/..b@ok.com'])
+def test_email_validator_ok(email):
     EmailValidator()('ok@ok.com')