From 196afe8ed1b8e00c08b8748d626cfceb45f9f360 Mon Sep 17 00:00:00 2001
From: Jonas Lochmann <git@inkompetenz.org>
Date: Mon, 7 Oct 2019 00:00:00 +0000
Subject: [PATCH] Sanitize mail addresses

---
 package-lock.json |  5 +++++
 package.json      |  1 +
 src/api/auth.ts   | 12 +++++++++---
 src/util/mail.ts  | 17 +++++++++++++++++
 4 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 533eb12..3188ef4 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1593,6 +1593,11 @@
       "resolved": "https://registry.npmjs.org/ejs/-/ejs-2.6.2.tgz",
       "integrity": "sha512-PcW2a0tyTuPHz3tWyYqtK6r1fZ3gp+3Sop8Ph+ZYN81Ob5rwmbHEzaqs10N3BEsaGTkh/ooniXK+WwszGlc2+Q=="
     },
+    "email-addresses": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/email-addresses/-/email-addresses-3.0.3.tgz",
+      "integrity": "sha512-kUlSC06PVvvjlMRpNIl3kR1NRXLEe86VQ7N0bQeaCZb2g+InShCeHQp/JvyYNTugMnRN2NvJhHlc3q12MWbbpg=="
+    },
     "email-templates": {
       "version": "5.1.0",
       "resolved": "https://registry.npmjs.org/email-templates/-/email-templates-5.1.0.tgz",
diff --git a/package.json b/package.json
index 7a09392..a14ced8 100644
--- a/package.json
+++ b/package.json
@@ -45,6 +45,7 @@
     "basic-auth": "^2.0.1",
     "body-parser": "^1.19.0",
     "ejs": "^2.6.2",
+    "email-addresses": "^3.0.3",
     "email-templates": "^5.1.0",
     "escape-html": "^1.0.3",
     "express": "^4.17.1",
diff --git a/src/api/auth.ts b/src/api/auth.ts
index c87be50..fb4b588 100644
--- a/src/api/auth.ts
+++ b/src/api/auth.ts
@@ -20,7 +20,7 @@ import { Router } from 'express'
 import { BadRequest } from 'http-errors'
 import { Database } from '../database'
 import { sendLoginCode, signInByMailCode } from '../function/authentication/login-by-mail'
-import { isMailServerBlacklisted } from '../util/mail'
+import { isMailServerBlacklisted, sanitizeMailAddress } from '../util/mail'
 import {
   isSendMailLoginCodeRequest,
   isSignInByMailCodeRequest
@@ -35,11 +35,17 @@ export const createAuthRouter = (database: Database) => {
         throw new BadRequest()
       }
 
-      if (isMailServerBlacklisted(req.body.mail)) {
+      const mail = sanitizeMailAddress(req.body.mail)
+
+      if (!mail) {
+        throw new BadRequest()
+      }
+
+      if (isMailServerBlacklisted(mail)) {
         res.json({ mailServerBlacklisted: true })
       } else {
         const { mailLoginToken } = await sendLoginCode({
-          mail: req.body.mail,
+          mail,
           locale: req.body.locale,
           database
         })
diff --git a/src/util/mail.ts b/src/util/mail.ts
index 7421d7b..9a32002 100644
--- a/src/util/mail.ts
+++ b/src/util/mail.ts
@@ -15,6 +15,7 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
+import { parseOneAddress } from 'email-addresses'
 import * as Email from 'email-templates'
 import { join } from 'path'
 
@@ -89,3 +90,19 @@ export function isMailServerBlacklisted (mail: string) {
 
   return mailServerBlacklist.indexOf(domain.toLowerCase()) !== -1
 }
+
+export function sanitizeMailAddress (input: string): string | null {
+  const parsed = parseOneAddress(input)
+
+  if ((!parsed) || (parsed.type !== 'mailbox')) {
+    return null
+  }
+
+  const address = (parsed as any).address
+
+  if (typeof address !== 'string') {
+    throw new Error('illegal state')
+  }
+
+  return address
+}