Merge pull request #7708 from freedomofpress/7619-fix-tabid

legoktm · web-flow · commit 09f99de8a13f · 2025-11-06T19:36:50.000Z
Add check for valid tab IDs when creating sources
diff --git a/securedrop/source_app/main.py b/securedrop/source_app/main.py
@@ -108,7 +108,19 @@ def create() -> werkzeug.Response:
             if not date_codenames_expire or datetime.now(timezone.utc) >= date_codenames_expire:
                 return clear_session_and_redirect_to_logged_out_page(flask_session=session)
 
-            tab_id = request.form["tab_id"]
+            tab_id = request.form.get("tab_id")
+            if not tab_id or tab_id not in session.get("codenames", {}):
+                # Use generic error message text for source creation issue
+                session.clear()
+                flash_msg(
+                    "error",
+                    None,
+                    gettext(
+                        "There was a temporary problem creating your account. Please try again."
+                    ),
+                )
+                return redirect(url_for("main.index"))
+
             codename = session["codenames"][tab_id]
             del session["codenames"]
 
diff --git a/securedrop/tests/test_source.py b/securedrop/tests/test_source.py
@@ -145,6 +145,34 @@ def test_create_new_source(source_app):
         assert "codenames" not in session
 
 
+def test_create_no_tab_id(source_app):
+    with source_app.test_client() as app:
+        resp = app.post(url_for("main.generate"), data=GENERATE_DATA)
+        assert resp.status_code == 200
+        resp = app.post(url_for("main.create"), follow_redirects=True)
+        assert not SessionManager.is_user_logged_in(db_session=db.session)
+
+        # should be redirected to /lookup
+        text = resp.data.decode("utf-8")
+        assert "There was a temporary problem" in text
+        assert "Get Started" in text
+        assert "codenames" not in session
+
+
+def test_create_bad_tab_id(source_app):
+    with source_app.test_client() as app:
+        resp = app.post(url_for("main.generate"), data=GENERATE_DATA)
+        assert resp.status_code == 200
+        resp = app.post(url_for("main.create"), data={"tab_id": "ohno"}, follow_redirects=True)
+        assert not SessionManager.is_user_logged_in(db_session=db.session)
+
+        # should be redirected to /lookup
+        text = resp.data.decode("utf-8")
+        assert "There was a temporary problem" in text
+        assert "Get Started" in text
+        assert "codenames" not in session
+
+
 def test_generate_as_post(source_app):
     with source_app.test_client() as app:
         resp = app.post(url_for("main.generate"), data=GENERATE_DATA)
