Do not track external domains to prevent CWE-601 (#107)

Author: amureki

emark/message.py

@@ -115,6 +115,13 @@ def update_url_params(self, url, **params):
         if not self.uuid:
             return redirect_url
         site_url = self.get_site_url()
+
+        # ignore external links
+        if (
+            redirect_url_parts.netloc
+            and redirect_url_parts.netloc != parse.urlparse(site_url).netloc
+        ):
+            return redirect_url
         tracking_url = reverse("emark:email-click", kwargs={"pk": self.uuid})
         tracking_url = parse.urljoin(site_url, tracking_url)
         tracking_url_parts = parse.urlparse(tracking_url)

tests/test_message.py

@@ -359,12 +359,11 @@ def test_update_url_params__subdomain(self, settings, email_message):
                 "https://test.example.com/?utm_source=foo",
                 utm_medium="baz",
             )
-            == "http://www.example.com/emark/12341234-1234-1234-1234-123412341234/"
-            "click?url=https%3A%2F%2Ftest.example.com%2F%3Futm_medium%3Dbaz%26utm_source%3Dfoo"
+            == "https://test.example.com/?utm_medium=baz&utm_source=foo"
         )
 
     def test_update_url_params__external_resource(self, email_message):
-        email_message._tracking_uuid = "12341234-1234-1234-1234-123412341234"
+        email_message.uuid = "12341234-1234-1234-1234-123412341234"
         assert (
             email_message.update_url_params(
                 "https://google.com/",