Replica: Add codespell support with configuration and fixes#76
Open
lucaforni wants to merge 14 commits into
Open
Replica: Add codespell support with configuration and fixes#76lucaforni wants to merge 14 commits into
lucaforni wants to merge 14 commits into
Conversation
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
The app-wide CSP already blocks inline script execution, but the HTML preview iframe for a stored email was same-origin and un-sandboxed, and the html_raw response had no per-action hardening. Add a sandbox on the iframe and tighten the CSP on html_raw to script-src 'none' with nosniff and no-referrer so the preview has defence in depth against a future CSP bypass or regression. Relates to GHSA-f6g9-8555-cw28.
The /img/<server>/<message> endpoint accepted a src=<url> query parameter and proxied the body of that URL back to the caller. Nothing in the codebase ever produces a src= parameter — the parser only inserts a plain tracking pixel and rewrites href links — so this branch is dead code inherited from the original AppMail import. Drop the src branch: requests with src now return 400. The no-src path that serves the tracking pixel and records loads is unchanged, and a spec covers both the pixel-serving path and the removed branch.
The endpoint and domain option helpers interpolated model attributes straight into an HTML string before marking the whole buffer html_safe. Wrap the interpolations in h() so untrusted attributes can't break out of the surrounding tag. Also stop the helpers glob in rails_helper from eagerly requiring _spec.rb files so helper specs can live under spec/helpers/, and add a small application helper spec covering the escape behaviour.
url_with_return_to only checked that return_to started with a forward slash, which also allowed protocol-relative values like //host and /\host. Rails 7.1 already refuses to follow those via redirect_to, so the user just saw a 500. Reject the same shapes in the helper instead so we fall back to the default URL cleanly. Adds a sessions request spec covering the rejected shapes plus the happy-path relative redirect.
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
- Skip CHANGELOG.md (auto-generated by release-please; would reintroduce typos copied from past commit messages). - Skip MIME / DKIM test fixtures (spec/examples/dkim_signing, resource/postfix-bounce.msg, docker/ci-config/signing.key) whose embedded encoded content trips the spell-check. - Ignore "checkin" — used as a method name in lib/postal/message_db/connection_pool.rb, not a misspelling. Co-Authored-By: Claude Code 2.1.154 / Claude Opus 4.7 <noreply@anthropic.com>
Two typos that originated in past commit messages and were carried into the auto-generated CHANGELOG: - nexting -> nesting (line 336, rubocop block nesting) - messsages -> messages (line 472) CHANGELOG.md is now in codespell's skip list, so this commit is a one-off cleanup. If you'd rather keep the historical CHANGELOG untouched verbatim, this commit can be dropped without affecting CI (codespell will still skip the file). Co-Authored-By: Claude Code 2.1.154 / Claude Opus 4.7 <noreply@anthropic.com>
codespell offers multiple suggestions for these; resolved manually: - "actuall" -> "actually" in spec/lib/postal/legacy_config_source_spec.rb:9 (comment: "Rather than actually test the LegacyConfigSource ...") - "whent he" -> "when the" in spec/models/server_spec.rb:92 (RSpec context label, word-split typo: codespell flags "whent", the surrounding text confirms "when the IP pool ...") Co-Authored-By: Claude Code 2.1.154 / Claude Opus 4.7 <noreply@anthropic.com>
Auto-corrected single-suggestion misspellings across the tree using
codespell. Changes are limited to comments, log/exception/Prometheus
docstrings, HAML view prose, RSpec context labels, Markdown docs,
and YAML config templates / schema descriptions. No behavioural code
is altered.
Highlights (single-suggestion, 22 files / 43 hits):
overriden -> overridden (13x, docs + config_schema)
sesssion -> session (9x, smtp_sender + spec)
Somethign / somethign-> Something / something (4x)
mesage / mesages /
messsage -> message(s) (4x)
apprpriate -> appropriate
particularily -> particularly
encouters -> encounters
successfuly -> successfully (Prometheus docstring)
Orginal -> Original (bounce body)
whcih -> which
likelyhood -> likelihood
thsi -> this
maxmium / maxmimum -> maximum
faciliate -> facilitate
occurrs -> occurs
theres -> there's
The fix in app/lib/message_dequeuer/incoming_message_processor.rb:85
(log string) was applied together with the matching RSpec regex in
spec/lib/message_dequeuer/incoming_message_processor_spec.rb:133, so
tests still match.
Generated with: codespell -w
Co-Authored-By: Claude Code 2.1.154 / Claude Opus 4.7 <noreply@anthropic.com>
|
do you want me to redo it against this one? anyways, likely CI would not be happy for a PR from a fork |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Questa PR replica la PR originale: postalserver#3576
Autore originale: @yarikoptic
Branch originale:
enh-codespellRepository originale: yarikoptic/postal
Add codespell-based
spell-checking to Postal and fix existing typos.
I personally introduced codespell to over a hundred projects already,
mostly with positive feedback (see
"improveit-dashboard").
The added GitHub Actions workflow has
permissions: contents: readso itis safe to enable.
What's in this PR
The PR is broken into small, reviewable commits so individual pieces can
be dropped if not desired:
Add GitHub Actions workflow — runs
codespellonpushandpull_requestagainstmain.Add rudimentary
.codespellrc— minimal initial config.Tune
.codespellrc— skip auto-generatedCHANGELOG.md, DKIM /postfix-bounce MIME test fixtures, and the test SSH signing key, all
of which contain MIME-encoded or binary-ish content that trips the
spell-check. Add
checkintoignore-words-listsince it's a methodname in
lib/postal/message_db/connection_pool.rb, not a misspelling.Fix historical typos in
CHANGELOG.md(safe to drop) —nexting → nesting(rubocop block-nesting changelog entry) andmesssages → messages.CHANGELOG.mdis now in codespell's skiplist, so CI passes regardless of whether this commit is kept; this is
a one-off cleanup of typos that originated in past commit messages
and were copied verbatim by release-please.
Fix ambiguous typos requiring context review —
actuall → actuallyin a spec comment andwhent he → when thein an RSpeccontextlabel. Both required human judgment.Fix non-ambiguous typos found by codespell — auto-corrected by
codespell -w, 22 files / 43 hits. All in comments, log strings,Prometheus docstrings, HAML view prose, RSpec context labels, doc
pages, and YAML config templates / schema descriptions. No
behavioural code is altered.
Most-frequent corrections:
overriden → overridden(13x),sesssion → session(9x),Somethign → Something(4x),mesage/mesages/messsage → message(s)(4x), plus single-instanceapprpriate,particularily,encouters,successfuly,Orginal,whcih,likelyhood,thsi,maxmium,maxmimum,faciliate,occurrs,theres.Notes for reviewers
app/lib/message_dequeuer/incoming_message_processor.rb:85(
maxmimum → maximumin a log string) is mirrored by an update to thematching RSpec regex in
spec/lib/message_dequeuer/incoming_message_processor_spec.rb:133,so the regression test still matches.
app/lib/smtp_server/server.rb:311, codespell rewrote a Prometheusdocstring from
"successfuly TLS connections established"to"successfully TLS connections established". Grammatically theauthor likely meant
successful(adjective) — happy to swap if youprefer.
typo/spell/spellingin their subject line, demonstrating that automated spell-checking
would have saved manual review work.
Testing
codespellpasses with zero errors against the tracked tree after allfixes (
uvx codespell→ exit 0).🤖 Generated with Claude Code and love
for typo-free code.