Add filtering to app and org display names

Author: geoffg-sentry

src/sentry/api/serializers/models/organization.py

@@ -175,6 +175,13 @@ def validate_name(self, value: str) -> str:
             raise serializers.ValidationError(
                 "Organization name cannot contain URL schemes (e.g. http:// or https://)."
             )
+
+        from sentry.utils.display_name_filter import check_spam_display_name
+
+        spam_error = check_spam_display_name(value)
+        if spam_error:
+            raise serializers.ValidationError(spam_error)
+
         return value
 
     def validate_slug(self, value: str) -> str:

src/sentry/sentry_apps/api/parsers/sentry_app.py

@@ -164,6 +164,13 @@ def validate_name(self, value):
         max_length = 64 - UUID_CHARS_IN_SLUG - 1  # -1 comes from the - before the UUID bit
         if len(value) > max_length:
             raise ValidationError("Cannot exceed %d characters" % max_length)
+
+        from sentry.utils.display_name_filter import check_spam_display_name
+
+        spam_error = check_spam_display_name(value)
+        if spam_error:
+            raise ValidationError(spam_error)
+
         return value
 
     def validate_allowedOrigins(self, value):

src/sentry/utils/display_name_filter.py

@@ -0,0 +1,74 @@
+from __future__ import annotations
+
+from collections.abc import Callable
+
+CURRENCY_SIGNALS: list[str] = [
+    "$",
+    "\U0001f4b2",  # 💲 Heavy Dollar Sign
+    "\U0001f4b0",  # 💰 Money Bag
+    "\U0001f4b5",  # 💵 Dollar Banknote
+    "\U0001f48e",  # 💎 Gem Stone
+    "\U0001fa99",  # 🪙 Coin
+    "btc",
+    "eth",
+    "usdt",
+    "crypto",
+    "compensation",
+    "bitcoin",
+    "ethereum",
+    "litecoin",
+    "ltc",
+    "xrp",
+    "doge",
+    "dogecoin",
+    "bnb",
+    "solana",
+    "sol",
+    "airdrop",
+]
+
+CTA_VERBS: list[str] = ["click", "claim", "collect", "withdraw", "act", "pay"]
+CTA_URGENCY: list[str] = ["now", "here", "your", "link"]
+
+SHORT_URL_SIGNALS: list[str] = [
+    "2g.tel",
+    "bit.ly",
+    "t.co",
+    "tinyurl",
+    "rb.gy",
+    "cutt.ly",
+    "shorturl",
+    "is.gd",
+    "v.gd",
+    "ow.ly",
+    "bl.ink",
+]
+
+
+def _has_any(lowered: str, signals: list[str]) -> bool:
+    return any(s in lowered for s in signals)
+
+
+def _has_cta(lowered: str) -> bool:
+    return _has_any(lowered, CTA_VERBS) and _has_any(lowered, CTA_URGENCY)
+
+
+_CATEGORIES: list[tuple[str, Callable[[str], bool]]] = [
+    ("cryptocurrency terminology", lambda val: _has_any(val, CURRENCY_SIGNALS)),
+    ("call-to-action phrases", _has_cta),
+    ("URL shortener domains", lambda val: _has_any(val, SHORT_URL_SIGNALS)),
+]
+
+
+def check_spam_display_name(name: str) -> str | None:
+    """Check if a user-controlled display name matches known spam patterns.
+
+    Returns a user-facing error string listing the matched categories
+    if 2+ distinct signal categories fire, or None if the name is clean.
+    """
+    lowered = name.lower()
+    matched_labels: list[str] = [label for label, check in _CATEGORIES if check(lowered)]
+    if len(matched_labels) >= 2:
+        joined = " and ".join(matched_labels)
+        return f"This name contains disallowed content ({joined}). Please choose a different name."
+    return None

tests/sentry/core/endpoints/test_organization_index.py

@@ -272,6 +272,19 @@ def test_name_with_url_scheme_rejected(self) -> None:
             )
             self.get_error_response(name="http://evil.com", slug="legit-slug-2", status_code=400)
 
+    def test_name_with_spam_signals_rejected(self) -> None:
+        response = self.get_error_response(
+            name="Win $50 ETH bit.ly/offer Claim Now",
+            slug="spam-org",
+            status_code=400,
+        )
+        assert "disallowed content" in str(response.data)
+
+    def test_name_with_single_signal_allowed(self) -> None:
+        response = self.get_success_response(name="BTC Analytics", slug="btc-analytics")
+        org = Organization.objects.get(id=response.data["id"])
+        assert org.name == "BTC Analytics"
+
     def test_name_with_periods_allowed(self) -> None:
         response = self.get_success_response(name="Acme Inc.", slug="acme-inc")
         org = Organization.objects.get(id=response.data["id"])

tests/sentry/utils/test_display_name_filter.py

@@ -0,0 +1,69 @@
+from sentry.utils.display_name_filter import check_spam_display_name
+
+
+class TestCheckSpamDisplayName:
+    def test_clean_name_passes(self) -> None:
+        assert check_spam_display_name("My Company Inc.") is None
+
+    def test_single_currency_signal_passes(self) -> None:
+        assert check_spam_display_name("BTC Analytics") is None
+
+    def test_single_cta_verb_passes(self) -> None:
+        assert check_spam_display_name("Click Studios") is None
+
+    def test_single_cta_urgency_passes(self) -> None:
+        assert check_spam_display_name("Do It Now Labs") is None
+
+    def test_cta_verb_plus_urgency_alone_passes(self) -> None:
+        assert check_spam_display_name("Click Here Studios") is None
+
+    def test_single_shorturl_signal_passes(self) -> None:
+        assert check_spam_display_name("bit.ly team") is None
+
+    def test_currency_plus_cta_rejected(self) -> None:
+        result = check_spam_display_name("Free BTC - Click Here")
+        assert result is not None
+        assert "cryptocurrency terminology" in result
+        assert "call-to-action phrases" in result
+
+    def test_currency_plus_shorturl_rejected(self) -> None:
+        result = check_spam_display_name("Earn $100 via 2g.tel/promo")
+        assert result is not None
+        assert "cryptocurrency terminology" in result
+        assert "URL shortener domains" in result
+
+    def test_cta_plus_shorturl_rejected(self) -> None:
+        result = check_spam_display_name("Click Here: bit.ly/free")
+        assert result is not None
+        assert "call-to-action phrases" in result
+        assert "URL shortener domains" in result
+
+    def test_all_three_categories_rejected(self) -> None:
+        result = check_spam_display_name("Win $50 ETH bit.ly/offer Claim Now")
+        assert result is not None
+
+    def test_case_insensitive(self) -> None:
+        result = check_spam_display_name("FREE BTC - CLICK HERE")
+        assert result is not None
+
+    def test_currency_emoji_detected(self) -> None:
+        result = check_spam_display_name(
+            "\U0001f4b2Compensation Btc: 2g.tel/x Click Your Pay Link."
+        )
+        assert result is not None
+
+    def test_single_currency_emoji_passes(self) -> None:
+        assert check_spam_display_name("My \U0001f4b0 Company") is None
+
+    def test_cta_novel_combo_rejected(self) -> None:
+        result = check_spam_display_name("Withdraw Now - Free BTC")
+        assert result is not None
+
+    def test_empty_string_passes(self) -> None:
+        assert check_spam_display_name("") is None
+
+    def test_error_message_format(self) -> None:
+        result = check_spam_display_name("Free BTC - Click Here")
+        assert result is not None
+        assert "disallowed content" in result
+        assert "Please choose a different name" in result