Replica: Add codespell support with configuration and fixes by lucaforni · Pull Request #76 · modalsource/postal

lucaforni · 2026-05-29T00:49:30Z

Questa PR replica la PR originale: postalserver#3576

Autore originale: @yarikoptic
Branch originale: enh-codespell
Repository originale: yarikoptic/postal

Add codespell-based
spell-checking to Postal and fix existing typos.

I personally introduced codespell to over a hundred projects already,
mostly with positive feedback (see
"improveit-dashboard").
The added GitHub Actions workflow has permissions: contents: read so it
is safe to enable.

What's in this PR

The PR is broken into small, reviewable commits so individual pieces can
be dropped if not desired:

Add GitHub Actions workflow — runs codespell on push and
pull_request against main.
Add rudimentary .codespellrc — minimal initial config.
Tune .codespellrc — skip auto-generated CHANGELOG.md, DKIM /
postfix-bounce MIME test fixtures, and the test SSH signing key, all
of which contain MIME-encoded or binary-ish content that trips the
spell-check. Add checkin to ignore-words-list since it's a method
name in lib/postal/message_db/connection_pool.rb, not a misspelling.
Fix historical typos in CHANGELOG.md (safe to drop) —
nexting → nesting (rubocop block-nesting changelog entry) and
messsages → messages. CHANGELOG.md is now in codespell's skip
list, so CI passes regardless of whether this commit is kept; this is
a one-off cleanup of typos that originated in past commit messages
and were copied verbatim by release-please.
Fix ambiguous typos requiring context review — actuall → actually in a spec comment and whent he → when the in an RSpec
context label. Both required human judgment.
Fix non-ambiguous typos found by codespell — auto-corrected by
codespell -w, 22 files / 43 hits. All in comments, log strings,
Prometheus docstrings, HAML view prose, RSpec context labels, doc
pages, and YAML config templates / schema descriptions. No
behavioural code is altered.

Most-frequent corrections: overriden → overridden (13x),
sesssion → session (9x), Somethign → Something (4x),
mesage/mesages/messsage → message(s) (4x), plus single-instance
apprpriate, particularily, encouters, successfuly,
Orginal, whcih, likelyhood, thsi, maxmium, maxmimum,
faciliate, occurrs, theres.

Notes for reviewers

The fix in app/lib/message_dequeuer/incoming_message_processor.rb:85
(maxmimum → maximum in a log string) is mirrored by an update to the
matching RSpec regex in
spec/lib/message_dequeuer/incoming_message_processor_spec.rb:133,
so the regression test still matches.
In app/lib/smtp_server/server.rb:311, codespell rewrote a Prometheus
docstring from "successfuly TLS connections established" to
"successfully TLS connections established". Grammatically the
author likely meant successful (adjective) — happy to swap if you
prefer.
This repo has had 14 prior commits with typo/spell/spelling
in their subject line, demonstrating that automated spell-checking
would have saved manual review work.

Testing

codespell passes with zero errors against the tracked tree after all
fixes (uvx codespell → exit 0).

🤖 Generated with Claude Code and love
for typo-free code.

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

The app-wide CSP already blocks inline script execution, but the HTML preview iframe for a stored email was same-origin and un-sandboxed, and the html_raw response had no per-action hardening. Add a sandbox on the iframe and tighten the CSP on html_raw to script-src 'none' with nosniff and no-referrer so the preview has defence in depth against a future CSP bypass or regression. Relates to GHSA-f6g9-8555-cw28.

The /img/<server>/<message> endpoint accepted a src=<url> query parameter and proxied the body of that URL back to the caller. Nothing in the codebase ever produces a src= parameter — the parser only inserts a plain tracking pixel and rewrites href links — so this branch is dead code inherited from the original AppMail import. Drop the src branch: requests with src now return 400. The no-src path that serves the tracking pixel and records loads is unchanged, and a spec covers both the pixel-serving path and the removed branch.

The endpoint and domain option helpers interpolated model attributes straight into an HTML string before marking the whole buffer html_safe. Wrap the interpolations in h() so untrusted attributes can't break out of the surrounding tag. Also stop the helpers glob in rails_helper from eagerly requiring _spec.rb files so helper specs can live under spec/helpers/, and add a small application helper spec covering the escape behaviour.

url_with_return_to only checked that return_to started with a forward slash, which also allowed protocol-relative values like //host and /\host. Rails 7.1 already refuses to follow those via redirect_to, so the user just saw a 500. Reject the same shapes in the helper instead so we fall back to the default URL cleanly. Adds a sessions request spec covering the rejected shapes plus the happy-path relative redirect.

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

- Skip CHANGELOG.md (auto-generated by release-please; would reintroduce typos copied from past commit messages). - Skip MIME / DKIM test fixtures (spec/examples/dkim_signing, resource/postfix-bounce.msg, docker/ci-config/signing.key) whose embedded encoded content trips the spell-check. - Ignore "checkin" — used as a method name in lib/postal/message_db/connection_pool.rb, not a misspelling. Co-Authored-By: Claude Code 2.1.154 / Claude Opus 4.7 <noreply@anthropic.com>

Two typos that originated in past commit messages and were carried into the auto-generated CHANGELOG: - nexting -> nesting (line 336, rubocop block nesting) - messsages -> messages (line 472) CHANGELOG.md is now in codespell's skip list, so this commit is a one-off cleanup. If you'd rather keep the historical CHANGELOG untouched verbatim, this commit can be dropped without affecting CI (codespell will still skip the file). Co-Authored-By: Claude Code 2.1.154 / Claude Opus 4.7 <noreply@anthropic.com>

codespell offers multiple suggestions for these; resolved manually: - "actuall" -> "actually" in spec/lib/postal/legacy_config_source_spec.rb:9 (comment: "Rather than actually test the LegacyConfigSource ...") - "whent he" -> "when the" in spec/models/server_spec.rb:92 (RSpec context label, word-split typo: codespell flags "whent", the surrounding text confirms "when the IP pool ...") Co-Authored-By: Claude Code 2.1.154 / Claude Opus 4.7 <noreply@anthropic.com>

Auto-corrected single-suggestion misspellings across the tree using codespell. Changes are limited to comments, log/exception/Prometheus docstrings, HAML view prose, RSpec context labels, Markdown docs, and YAML config templates / schema descriptions. No behavioural code is altered. Highlights (single-suggestion, 22 files / 43 hits): overriden -> overridden (13x, docs + config_schema) sesssion -> session (9x, smtp_sender + spec) Somethign / somethign-> Something / something (4x) mesage / mesages / messsage -> message(s) (4x) apprpriate -> appropriate particularily -> particularly encouters -> encounters successfuly -> successfully (Prometheus docstring) Orginal -> Original (bounce body) whcih -> which likelyhood -> likelihood thsi -> this maxmium / maxmimum -> maximum faciliate -> facilitate occurrs -> occurs theres -> there's The fix in app/lib/message_dequeuer/incoming_message_processor.rb:85 (log string) was applied together with the matching RSpec regex in spec/lib/message_dequeuer/incoming_message_processor_spec.rb:133, so tests still match. Generated with: codespell -w Co-Authored-By: Claude Code 2.1.154 / Claude Opus 4.7 <noreply@anthropic.com>

yarikoptic · 2026-05-29T17:50:59Z

do you want me to redo it against this one? anyways, likely CI would not be happy for a PR from a fork

#19 pushing layers 0.7s done
#19 ERROR: failed to push ghcr.io/postalserver/postal:ci-dccebf1ec9112030f2681b69dc5c88de282e24df: denied: permission_denied: The requested installation does not exist.
------
 > exporting to image:
------
ERROR: failed to build: failed to solve: failed to push ghcr.io/postalserver/postal:ci-dccebf1ec9112030f2681b69dc5c88de282e24df: denied: permission_denied: The requested installation does not exist.

adamcooke and others added 14 commits February 1, 2026 14:48

fix(deliveries): escape delivery details to prevent HTML injection

11419f9

chore(main): release 3.3.5 (postalserver#3208)

d532922

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

chore: ignore node modules and yarn.lock

b611d57

chore(main): release 3.3.6 (postalserver#3558)

8ef8960

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Add GitHub Actions workflow for codespell on main

a87ff60

Add rudimentary codespell config

59b5d0a

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Replica: Add codespell support with configuration and fixes#76

Replica: Add codespell support with configuration and fixes#76
lucaforni wants to merge 14 commits into
main-modalsourcefrom
yarikoptic-postal-enh-codespell

lucaforni commented May 29, 2026

Uh oh!

yarikoptic commented May 29, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

lucaforni commented May 29, 2026

What's in this PR

Notes for reviewers

Testing

Uh oh!

yarikoptic commented May 29, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants