manager: check that sub_slug is a valid regex (#47099)

combo/data/models.py

@@ -97,7 +97,7 @@ def django_template_validator(value):
         raise ValidationError(_('syntax error: %s') % e)
 
 
-def extract_context_from_sub_slug(sub_slug, sub_url):
+def format_sub_slug(sub_slug):
     mapping = {}
     # search all named-groups in sub_slug
     for i, m in enumerate(re.finditer(r'P<[\w_-]+>', sub_slug)):
@@ -110,6 +110,18 @@ def extract_context_from_sub_slug(sub_slug, sub_url):
         # keep a mapping
         mapping[new_group] = original_group
 
+    return sub_slug, mapping
+
+
+def compile_sub_slug(sub_slug):
+    sub_slug, mapping = format_sub_slug(sub_slug)
+    # will raise re.error if wrong regexp
+    re.compile(sub_slug)
+
+
+def extract_context_from_sub_slug(sub_slug, sub_url):
+    sub_slug, mapping = format_sub_slug(sub_slug)
+
     # match url
     match = re.match('^' + sub_slug + '$', sub_url)
     if match is None:

combo/manager/forms.py

@@ -14,6 +14,8 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import re
+
 from django import forms
 from django.conf import settings
 from django.contrib.auth.models import Group
@@ -23,6 +25,7 @@ from django.utils.translation import ugettext_lazy as _
 
 from combo.data.models import Page
 from combo.data.models import ParentContentCell
+from combo.data.models import compile_sub_slug
 
 from .fields import ImageIncludingSvgField
 
@@ -124,6 +127,16 @@ class PageEditSlugForm(forms.ModelForm):
             raise ValidationError(_('Slug must be unique'), code='unique')
         return value
 
+    def clean_sub_slug(self):
+        value = self.cleaned_data.get('sub_slug')
+
+        try:
+            compile_sub_slug(value)
+        except re.error:
+            raise ValidationError(_('Bad Regular expression.'), code='bad_regex')
+
+        return value
+
 
 class PageEditDescriptionForm(forms.ModelForm):
     class Meta:

tests/test_manager.py

@@ -209,12 +209,6 @@ def test_edit_page(app, admin_user):
     resp = resp.form.submit()
     resp = resp.follow()
     assert Page.objects.all()[0].title == 'Home 2'
-    # slug
-    resp = resp.click(href='.*/slug')
-    resp.form['slug'].value = 'foobar'
-    resp = resp.form.submit()
-    resp = resp.follow()
-    assert Page.objects.all()[0].slug == 'foobar'
     # description
     resp = resp.click(href='.*/description')
     resp.form['description'].value = 'second home page'
@@ -413,6 +407,28 @@ def test_page_edit_slug(app, admin_user):
     assert 'Slug must be unique' in resp.text
     assert Page.objects.get(id=page.id).slug == 'two2'
 
+
+def test_page_edit_sub_slug(app, admin_user):
+    page = Page.objects.create(title='One', slug='one', template_name='two')
+
+    app = login(app)
+    resp = app.get('/manage/pages/%s/' % page.pk)
+
+    resp = resp.click(href='.*/slug')
+    resp.form['slug'].value = 'foobar'
+    resp.form['sub_slug'].value = '(?P<card-foo_id>[0-9]+)'
+    resp = resp.form.submit().follow()
+    page.refresh_from_db()
+    assert page.slug == 'foobar'
+    assert page.sub_slug == '(?P<card-foo_id>[0-9]+)'
+
+    # bad regexp
+    resp = resp.click(href='.*/slug')
+    resp.form['sub_slug'].value = '(?P< bad group name with spaces >[0-9]+)'
+    resp = resp.form.submit()
+    assert resp.context['form'].errors['sub_slug'] == ['Bad Regular expression.']
+
+
 def test_page_edit_picture(app, admin_user):
     Page.objects.all().delete()
     page = Page(title='One', slug='one', template_name='standard')