update

2025-05-22 00:38:04 +00:00
parent b2f25c49b6
commit a4353b10bb
2 changed files with 71 additions and 7 deletions
--- a/ts/mail/delivery/smtpserver/utils/validation.ts
+++ b/ts/mail/delivery/smtpserver/utils/validation.ts
@ -29,15 +29,45 @@ const HEADER_INJECTION_PATTERNS = [
 /**
 * Detects header injection attempts in input strings
 * @param input - The input string to check
+ * @param context - The context where this input is being used ('smtp-command' or 'email-header')
 * @returns true if header injection is detected, false otherwise
 */
-export function detectHeaderInjection(input: string): boolean {
+export function detectHeaderInjection(input: string, context: 'smtp-command' | 'email-header' = 'smtp-command'): boolean {
  if (!input || typeof input !== 'string') {
    return false;
  }
  
-  // Check against all header injection patterns
-  return HEADER_INJECTION_PATTERNS.some(pattern => pattern.test(input));
+  // Check for control characters and CRLF sequences (always dangerous)
+  const controlCharPatterns = [
+    /\r\n/,                    // CRLF sequence
+    /\n/,                      // LF alone  
+    /\r/,                      // CR alone
+    /\x00/,                    // Null byte
+    /\x0A/,                    // Line feed hex
+    /\x0D/,                    // Carriage return hex
+    /%0A/i,                    // URL encoded LF
+    /%0D/i,                    // URL encoded CR
+    /%0a/i,                    // URL encoded LF lowercase
+    /%0d/i,                    // URL encoded CR lowercase
+    /\\\n/,                    // Escaped newline
+    /\\\r/,                    // Escaped carriage return
+  ];
+  
+  // Check control characters (always dangerous in any context)
+  if (controlCharPatterns.some(pattern => pattern.test(input))) {
+    return true;
+  }
+  
+  // For email headers, also check for header injection patterns
+  if (context === 'email-header') {
+    const headerPatterns = [
+      /(?:subject|from|to|cc|bcc|reply-to|return-path|received|delivered-to|x-.*?):/i  // Email headers
+    ];
+    return headerPatterns.some(pattern => pattern.test(input));
+  }
+  
+  // For SMTP commands, don't flag normal command syntax like "TO:" as header injection
+  return false;
 }

 /**