Sanitize mail addresses

2025-10-03 09:49:32 +02:00 · 2019-10-07 00:00:00 +00:00 · 2019-10-07 00:00:00 +00:00 · 196afe8ed1
commit 196afe8ed1
parent df2cdab180
4 changed files with 32 additions and 3 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -1593,6 +1593,11 @@
      "resolved": "https://registry.npmjs.org/ejs/-/ejs-2.6.2.tgz",
      "integrity": "sha512-PcW2a0tyTuPHz3tWyYqtK6r1fZ3gp+3Sop8Ph+ZYN81Ob5rwmbHEzaqs10N3BEsaGTkh/ooniXK+WwszGlc2+Q=="
    },
+    "email-addresses": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/email-addresses/-/email-addresses-3.0.3.tgz",
+      "integrity": "sha512-kUlSC06PVvvjlMRpNIl3kR1NRXLEe86VQ7N0bQeaCZb2g+InShCeHQp/JvyYNTugMnRN2NvJhHlc3q12MWbbpg=="
+    },
    "email-templates": {
      "version": "5.1.0",
      "resolved": "https://registry.npmjs.org/email-templates/-/email-templates-5.1.0.tgz",
--- a/package.json
+++ b/package.json
@ -45,6 +45,7 @@
    "basic-auth": "^2.0.1",
    "body-parser": "^1.19.0",
    "ejs": "^2.6.2",
+    "email-addresses": "^3.0.3",
    "email-templates": "^5.1.0",
    "escape-html": "^1.0.3",
    "express": "^4.17.1",
--- a/src/api/auth.ts
+++ b/src/api/auth.ts
@ -20,7 +20,7 @@ import { Router } from 'express'
 import { BadRequest } from 'http-errors'
 import { Database } from '../database'
 import { sendLoginCode, signInByMailCode } from '../function/authentication/login-by-mail'
-import { isMailServerBlacklisted } from '../util/mail'
+import { isMailServerBlacklisted, sanitizeMailAddress } from '../util/mail'
 import {
  isSendMailLoginCodeRequest,
  isSignInByMailCodeRequest
@ -35,11 +35,17 @@ export const createAuthRouter = (database: Database) => {
        throw new BadRequest()
      }

-      if (isMailServerBlacklisted(req.body.mail)) {
+      const mail = sanitizeMailAddress(req.body.mail)
+
+      if (!mail) {
+        throw new BadRequest()
+      }
+
+      if (isMailServerBlacklisted(mail)) {
        res.json({ mailServerBlacklisted: true })
      } else {
        const { mailLoginToken } = await sendLoginCode({
-          mail: req.body.mail,
+          mail,
          locale: req.body.locale,
          database
        })
--- a/src/util/mail.ts
+++ b/src/util/mail.ts
@ -15,6 +15,7 @@
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

+import { parseOneAddress } from 'email-addresses'
 import * as Email from 'email-templates'
 import { join } from 'path'

@ -89,3 +90,19 @@ export function isMailServerBlacklisted (mail: string) {

  return mailServerBlacklist.indexOf(domain.toLowerCase()) !== -1
 }
+
+export function sanitizeMailAddress (input: string): string | null {
+  const parsed = parseOneAddress(input)
+
+  if ((!parsed) || (parsed.type !== 'mailbox')) {
+    return null
+  }
+
+  const address = (parsed as any).address
+
+  if (typeof address !== 'string') {
+    throw new Error('illegal state')
+  }
+
+  return address
+}