Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(email): don't escape strings in plaintext emails #76476

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/access-approved.txt
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
{% autoescape off %}
You have been granted access to the {{ organization.slug }} / #{{ team.slug }} team on Sentry.
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/activity/release.txt
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
{% autoescape off %}
Version {{ version_parsed }} was deployed to {{ environment }} on {{ deploy.date_finished }}

{% for project, release_link, resolved_issue_count in projects %}
{{ release_link }}
{% endfor %}
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/auth-link-identity.txt
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
{% autoescape off %}
{{ provider.name }} Single Sign-On has been configured for the {{ organization.name }} organization.

Link your Sentry account to enable signing on with your {{ provider.name }} account by visiting the following url:

{{ url }}

SSO link request invoked by {{ actor_email }}
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/auth-sso-disabled.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
{{ provider.name }} Single Sign-On has been disabled for the {{ organization.name }} organization.

{% if has_password %}
Expand All @@ -11,3 +12,4 @@ You can now login using your email {{ email }}, however you'll first have to set
{% endif %}

SSO was disabled by {{ actor_email }}
{% endautoescape %}
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{% autoescape off %}
Action Required
---------------

We failed to fetch the latest CODEOWNERS file from your source code provider. Your Code Owners are out of sync with your CODEOWNERS for {{project_name}}. You can still manually sync the Code Owners in the project.

{{ url }}
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/confirm_email.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
{% if is_new_user %}
Thanks for signing up for Sentry!
{% endif %}
Expand All @@ -13,3 +14,4 @@ If you did not sign up, you may simply ignore this email.
{% else %}
If you did not make this request, you may simply ignore this email.
{% endif %}
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/crons/broken-monitors.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Your Cron Monitors Aren't Working

We've noticed the cron monitors below have not processed a successful check-in for multiple days:
Expand All @@ -11,3 +12,4 @@ To bring your monitors back to a healthy status, we recommend checking out our t
View Monitors: {{ view_monitors_link }}

Still facing issues? Reach our to our support team "https://sentry.zendesk.com/hc/en-us/requests/new".
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/crons/muted-monitors.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Your Cron Monitors Have Been Muted

The Cron Monitors below have not processed a successful check-in for multiple weeks. We have automatically muted the failing environments for these monitors:
Expand All @@ -15,3 +16,4 @@ Note that muted monitors will still count towards on-demand budget, but can be d
We recommend checking out our troubleshooting guide and our FAQs: "https://docs.sentry.io/product/crons/troubleshooting/" for further information on how you can bring your monitors back to a healthy status.

Still facing issues? Reach out to our support team "https://sentry.zendesk.com/hc/en-us/requests/new".
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/data-export-failure.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
We couldn't export your data.
-----------------------------

Expand All @@ -15,3 +16,4 @@ This is what you sent us. Maybe it'll help you sort this out.
Need a little more help?
- https://docs.sentry.io/ (Documentation)
- https://sentry.zendesk.com/hc/en-us (Help Center)
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/data-export-success.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Your data is ready.
-------------------

Expand All @@ -6,3 +7,4 @@ See, that wasn't so bad. We're all done assembling your download. Now have at it
{{url|safe}}

The download file expires at {{expiration}}. So don't get attached.
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/digests/body.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
{% load sentry_helpers %}
{% load sentry_features %}Notifications for {{ project.slug }}
{{ start|date:"N j, Y, P e" }} to {{ end|date:"N j, Y, P e" }}
Expand All @@ -10,3 +11,4 @@
{% endfor %}

Unsubscribe: {{ unsubscribe_link }}
{% endautoescape %}
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
We have samples!

We've collected {{ num_samples }} samples for the following search query:
Expand All @@ -7,3 +8,4 @@ We'll stop giving special priority to samples for your query once we collected 1

View samples here:
{{ discover_link|safe }}
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/identity-invalid.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Action Required
---------------

Expand All @@ -6,3 +7,4 @@ An identity with a third party service provider ({{ identity.provider }}) failed
You will need to associate your account with {{ identity.provider }} to continue using the integration.

{{ auth_url }}
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/idp_verification_email.txt
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
{% autoescape off %}
Sentry received a login attempt for {{ organization }} authenticated by {{ provider }}, with the credentials {{ email }}.

If this was you, and you wish to associate your existing Sentry account to the new {{ provider }} identity for {{ email }}, please click the link below.

This authentication link will expire in 10 minutes.

{{ url|safe }}
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/member-invite.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
You've been invited to Sentry

Your teammates at {{ organization.name }} are using Sentry to track and debug software errors.
Expand All @@ -7,3 +8,4 @@ Join your team by visiting the following url:
{{ url }}

Check out the Sentry website (https://sentry.io) if you'd like to learn more before diving in.
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/mfa-too-many-attempts.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
This is a notice that your Sentry account ({{ email }}) has failed multiple login attempts at the 2FA step from the following location:

IP address: {{ ip_address }}
Expand All @@ -13,3 +14,4 @@ If these logins are not from you, we recommend you log in to your Sentry account
{{ url }}

On the same account security page, we also recommend you click the “Sign out of all devices” button to remove all currently logged-in sessions of your account.
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/missing-members-nudge.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}

Bring your full {{ provider }} team on board in Sentry

Expand All @@ -12,3 +13,4 @@ Most Active Contributors
{% endfor %}

View Missing Members {{ members_list_url }}
{% endautoescape %}
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Finish Onboarding

Hey {{ recipient_name }}
Expand All @@ -7,3 +8,4 @@ about your {{ platforms }} project{{num_platforms|pluralize}}. Click the button
your computer to complete the set up for {{ organization_name }}.

{{ onboarding_link }}
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/org_delete_confirm.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
The {{ organization.name }} organization has been scheduled for deletion by:

User: {{ username }}
Expand All @@ -9,3 +10,4 @@ This irreversible deletion will take place at {{ eta }} and will permanently rem
If this was unintentional and you would like to cancel the deletion:

{{ url }}
{% endautoescape %}
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Request for Access

{{ inviter_name }} has requested to invite {{ email }} to the {{ organization_name }} organization.
Expand All @@ -7,3 +8,4 @@ View access requests by clicking the link below:
{{ pending_requests_link }}

You are receiving this email because you're listed as an organization Owner or Manager.
{% endautoescape %}
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Request for Access

{{ email }} is requesting to join the {{ organization_name }} organization.
Expand All @@ -8,3 +9,4 @@ View access requests by clicking the link below:

You are receiving this email because you're listed as an organization Owner or Manager.
Requests to join your organization can be disabled in settings: {{ settings_link }}
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/recover_account.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
A password reset was requested for your account ({{ user.username|safe }}) on Sentry ({{ domain }}). If you did not authorize this, you may simply ignore this email.

To continue with your password reset, simply click the button below, and you will be able to change your password. This link will expire in 1 hour.
Expand All @@ -7,3 +8,4 @@ To continue with your password reset, simply click the button below, and you wil
This request was made by:
IP: {{ ip_address }}
Date: {{ datetime|date:"N j, Y, P e" }}
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/relocate_account.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
The following Sentry organizations that you are a member of have been migrated onto sentry.io:
{% for org in orgs %}
* {{ org }}
Expand All @@ -6,3 +7,4 @@ The following Sentry organizations that you are a member of have been migrated o
To continue with using these accounts at their new location, please claim your account with sentry.io.

Claim Account ({{ url|safe }})
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/relocation_failed.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Your relocation has failed for the following reason:

{%if reason != "" %}
Expand All @@ -7,3 +8,4 @@ Your relocation has failed for the following reason:
Please contact support at https://sentry.zendesk.com/hc/en-us for further assistance if necessary.

ID: {{ uuid }}
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/relocation_started.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Your relocation request has been accepted. You requested that the following organizations be moved to sentry.io:

{% for org in orgs %}
Expand All @@ -7,3 +8,4 @@ Your relocation request has been accepted. You requested that the following orga
Relocations usually complete in 24 hours or less. If you do not hear from us in that time frame, please contact support at https://sentry.zendesk.com/hc/en-us.

ID: {{ uuid }}
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/relocation_succeeded.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Your relocation request was successful! The following organizations were moved to sentry.io:

{% for org in orgs %}
Expand All @@ -9,3 +10,4 @@ You are now an owner of all of these organizations. Please note that the DSNs (s
Welcome to sentry.io!

ID: {{ uuid }}
{% endautoescape %}
1 change: 1 addition & 0 deletions src/sentry/templates/sentry/emails/reports/body.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/request-team-access.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
{% if requester %}
{{ requester }} is requesting to add {{ name }} to the #{{ team.slug }} team.
{% else %}
Expand All @@ -9,3 +10,4 @@ You can accept or decline this request in via the pending requests panel:
{{ url }}

You are receiving this email because you're listed as an administrator of the #{{ team.slug }} team.
{% endautoescape %}
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Seems like your team could use some new tools. {{ requester_name }} from {{ organization_name }} requested the installation of {{ integration_name }}.
{% if message %}
They’ve included some additional context:
Expand All @@ -14,3 +15,4 @@ Let’s get integrated.

You are receiving this email because you’re listed as an organization Owner or Manager.
Requests to join your organization can be disabled in Organization Settings: {{ settings_link }}.
{% endautoescape %}
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Fancy seeing you here. In your own inbox. In this email, we’ve addressed specifically to you.

{{ requester_name }} told us you’d be interested in Sentry App Monitoring for Mobile.
Expand All @@ -19,3 +20,4 @@ Get Started by clicking the link below:

Mobile up,
The Sentry Team
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/setup_2fa.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Setup Two-Factor Authentication

The {{ organization.name|title }} organization now requires all members to enable
Expand All @@ -7,3 +8,4 @@ one form of 2FA.

Enable 2FA to reinstate your access and settings:
{{ url }}
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/setup_email.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Confirm Email

The {{ organization.name|title }} organization now requires all members to
Expand All @@ -11,3 +12,4 @@ link will expire in 48 hours.

Step 2: Click the link below to reinstate your access and settings.
{{ invite_url }}
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/slack-migration.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Slack Upgrade
--------------

Expand All @@ -15,3 +16,4 @@ Your Sentry Slack Integration for workspace {{integration.name}} has been update
{{ channel }}
{% endfor %}
{% endif %}
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/transfer_project.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Request for Project Transfer
A project transfer request has been made:
From Organization: {{ from_org }}
Expand All @@ -7,3 +8,4 @@ Requested at: {{ request_time }}>
Click below to approve the transfer of {{ project_name }}. If you are an organization owner for more than one Sentry organization, you will be asked to choose which one should accept the project.

Approve transfer: {{url}}
{% endautoescape %}
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
Unable to Fetch Commits
-----------------------

Expand All @@ -9,3 +10,4 @@ Troubleshooting & References

https://sentry.zendesk.com/hc/en-us/articles/23968845267739-Why-am-I-receiving-the-email-Unable-to-Fetch-Commits
https://docs.sentry.io/product/releases/setup/
{% endautoescape %}
2 changes: 2 additions & 0 deletions src/sentry/templates/sentry/emails/welcome_mail.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{% autoescape off %}
You have a new account on Sentry!

Username: {{ username }}
Expand All @@ -15,3 +16,4 @@ with the following value for the Sentry DSN to start sending events:
{{ dsn }}
{% endif %}
{% endspaceless %}
{% endautoescape %}
5 changes: 3 additions & 2 deletions src/sentry/web/frontend/debug/mail.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
from django.urls import reverse
from django.utils import timezone as django_timezone
from django.utils.decorators import method_decorator
from django.utils.html import escape
from django.views.decorators.csrf import csrf_exempt
from django.views.generic import View

Expand Down Expand Up @@ -312,7 +313,7 @@ def __init__(self, html_template, text_template, context=None, subject=None):
add_unsubscribe_link(self.context)

def text_body(self):
return render_to_string(self.text_template, context=self.context)
return escape(render_to_string(self.text_template, context=self.context))

def html_body(self):
try:
Expand Down Expand Up @@ -398,7 +399,7 @@ def get_context(self):

def text_body(self):
txt_template = f"{self.email.template_path}.txt"
return render_to_string(txt_template, context=self.get_context())
return escape(render_to_string(txt_template, context=self.get_context()))

def html_body(self):
html_template = f"{self.email.template_path}.html"
Expand Down
Loading