Add a mailto link generator to easily report malicious packages. (#93)

AngeloD2022 · web-flow · commit cfd7b0995832 · 2023-04-14T13:06:13.000-04:00
* Add a mailto link generator to easily report malicious packages.

* Applied black reformat.
diff --git a/inspector/main.py b/inspector/main.py
@@ -48,7 +48,7 @@ def handle_bad_request(e):
 @app.route("/")
 def index():
     if project := request.args.get("project"):
-        return redirect(f"/project/{ project }")
+        return redirect(f"/project/{project}")
     return render_template("index.html")
 
 
@@ -78,7 +78,7 @@ def versions(project_name):
 def distributions(project_name, version):
     resp = requests.get(f"https://pypi.org/pypi/{project_name}/{version}/json")
     if resp.status_code != 200:
-        return redirect(f"/project/{ project_name }/")
+        return redirect(f"/project/{project_name}/")
 
     dist_urls = [
         "." + urllib.parse.urlparse(url["url"]).path + "/"
@@ -200,22 +200,47 @@ def distribution(project_name, version, first, second, rest, distname):
         return "Distribution type not supported"
 
 
+def mailto_report_link(project_name, version, file_path, request_url):
+    """
+    Generate a mailto report link for malicious code.
+    """
+    message_body = (
+        "PyPI Malicious Package Report\n"
+        "--\n"
+        f"Package Name: {project_name}\n"
+        f"Version: {version}\n"
+        f"File Path: {file_path}\n"
+        f"Inspector URL: {request_url}\n\n"
+        "Additional Information:\n\n"
+    )
+
+    subject = f"Malicious Package Report: {project_name}"
+
+    return (
+        f"mailto:security@pypi.org?"
+        f"subject={urllib.parse.quote(subject)}"
+        f"&body={urllib.parse.quote(message_body)}"
+    )
+
+
 @app.route(
     "/project/<project_name>/<version>/packages/<first>/<second>/<rest>/<distname>/<path:filepath>"  # noqa
 )
 def file(project_name, version, first, second, rest, distname, filepath):
     dist = _get_dist(first, second, rest, distname)
-
     if dist:
         try:
             contents = dist.contents(filepath)
         except UnicodeDecodeError:
             return "Binary files are not supported"
         except FileNotFoundError:
             return abort(404)
+
+        report_link = mailto_report_link(project_name, version, filepath, request.url)
         return render_template(
             "code.html",
             code=contents,
+            mailto_report_link=report_link,
             h2=f"{project_name}",
             h2_link=f"/project/{project_name}",
             h2_paren="View this project on PyPI",
diff --git a/inspector/templates/code.html b/inspector/templates/code.html
@@ -5,6 +5,7 @@
 {% endblock %}
 
 {% block body %}
+<a href="{{ mailto_report_link }}" style="color:red"> <strong>Report Malicious Package</strong> </a>
 <pre id="line" class="line-numbers linkable-line-numbers language-python">
 <code class="language-python">{{- code }}</code>
 </pre>
