This commit is contained in:
2025-05-22 00:11:33 +00:00
parent d3255a7e14
commit b2f25c49b6
2 changed files with 83 additions and 0 deletions

View File

@@ -11,6 +11,7 @@ import type { ISmtpSession, ISmtpTransactionResult } from './interfaces.js';
import type { IDataHandler, ISessionManager } from './interfaces.js';
import { SmtpResponseCode, SMTP_PATTERNS, SMTP_DEFAULTS } from './constants.js';
import { SmtpLogger } from './utils/logging.js';
import { detectHeaderInjection } from './utils/validation.js';
import { Email } from '../../core/classes.email.js';
import { UnifiedEmailServer } from '../../routing/classes.unified.email.server.js';
@@ -599,6 +600,17 @@ SmtpLogger.debug(`Parsed email subject: ${subject}`, { subject });
const name = line.substring(0, separatorIndex).trim().toLowerCase();
const value = line.substring(separatorIndex + 1).trim();
// Check for header injection attempts in header values
if (detectHeaderInjection(value)) {
SmtpLogger.warn('Header injection attempt detected in email header', {
headerName: name,
headerValue: value.substring(0, 100) + (value.length > 100 ? '...' : ''),
sessionId: session.id
});
// Skip this header to prevent injection
continue;
}
// Special handling for MIME-encoded headers (especially Subject)
if (name === 'subject' && value.includes('=?')) {
try {