update

ts/mail/delivery/smtpserver/data-handler.ts

@@ -11,6 +11,7 @@ import type { ISmtpSession, ISmtpTransactionResult } from './interfaces.js';
 import type { IDataHandler, ISessionManager } from './interfaces.js';
 import { SmtpResponseCode, SMTP_PATTERNS, SMTP_DEFAULTS } from './constants.js';
 import { SmtpLogger } from './utils/logging.js';
+import { detectHeaderInjection } from './utils/validation.js';
 import { Email } from '../../core/classes.email.js';
 import { UnifiedEmailServer } from '../../routing/classes.unified.email.server.js';
 
@@ -599,6 +600,17 @@ SmtpLogger.debug(`Parsed email subject: ${subject}`, { subject });
         const name = line.substring(0, separatorIndex).trim().toLowerCase();
         const value = line.substring(separatorIndex + 1).trim();
         
+        // Check for header injection attempts in header values
+        if (detectHeaderInjection(value)) {
+          SmtpLogger.warn('Header injection attempt detected in email header', { 
+            headerName: name, 
+            headerValue: value.substring(0, 100) + (value.length > 100 ? '...' : ''),
+            sessionId: session.id
+          });
+          // Skip this header to prevent injection
+          continue;
+        }
+        
         // Special handling for MIME-encoded headers (especially Subject)
         if (name === 'subject' && value.includes('=?')) {
           try {

ts/mail/delivery/smtpserver/utils/validation.ts

@@ -5,6 +5,59 @@
 
 import { SmtpState } from '../interfaces.js';
 import { SMTP_PATTERNS } from '../constants.js';
+
+/**
+ * Header injection patterns to detect malicious input
+ * These patterns detect common header injection attempts
+ */
+const HEADER_INJECTION_PATTERNS = [
+  /\r\n/,                    // CRLF sequence
+  /\n/,                      // LF alone  
+  /\r/,                      // CR alone
+  /\x00/,                    // Null byte
+  /\x0A/,                    // Line feed hex
+  /\x0D/,                    // Carriage return hex
+  /%0A/i,                    // URL encoded LF
+  /%0D/i,                    // URL encoded CR
+  /%0a/i,                    // URL encoded LF lowercase
+  /%0d/i,                    // URL encoded CR lowercase
+  /\\\n/,                    // Escaped newline
+  /\\\r/,                    // Escaped carriage return
+  /(?:subject|from|to|cc|bcc|reply-to|return-path|received|delivered-to|x-.*?):/i  // Email headers
+];
+
+/**
+ * Detects header injection attempts in input strings
+ * @param input - The input string to check
+ * @returns true if header injection is detected, false otherwise
+ */
+export function detectHeaderInjection(input: string): boolean {
+  if (!input || typeof input !== 'string') {
+    return false;
+  }
+  
+  // Check against all header injection patterns
+  return HEADER_INJECTION_PATTERNS.some(pattern => pattern.test(input));
+}
+
+/**
+ * Sanitizes input by removing or escaping potentially dangerous characters
+ * @param input - The input string to sanitize
+ * @returns Sanitized string
+ */
+export function sanitizeInput(input: string): string {
+  if (!input || typeof input !== 'string') {
+    return '';
+  }
+  
+  // Remove control characters and potential injection sequences
+  return input
+    .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '') // Remove control chars except \t, \n, \r
+    .replace(/\r\n/g, ' ')  // Replace CRLF with space
+    .replace(/[\r\n]/g, ' ') // Replace individual CR/LF with space
+    .replace(/%0[aAdD]/gi, '') // Remove URL encoded CRLF
+    .trim();
+}
 import { SmtpLogger } from './logging.js';
 
 /**
@@ -35,6 +88,12 @@ export function validateMailFrom(args: string): {
     return { isValid: false, errorMessage: 'Missing arguments' };
   }
   
+  // Check for header injection attempts
+  if (detectHeaderInjection(args)) {
+    SmtpLogger.warn('Header injection attempt detected in MAIL FROM command', { args });
+    return { isValid: false, errorMessage: 'Invalid syntax - illegal characters detected' };
+  }
+  
   // Handle "MAIL FROM:" already in the args
   let cleanArgs = args;
   if (args.toUpperCase().startsWith('MAIL FROM')) {
@@ -118,6 +177,12 @@ export function validateRcptTo(args: string): {
     return { isValid: false, errorMessage: 'Missing arguments' };
   }
   
+  // Check for header injection attempts
+  if (detectHeaderInjection(args)) {
+    SmtpLogger.warn('Header injection attempt detected in RCPT TO command', { args });
+    return { isValid: false, errorMessage: 'Invalid syntax - illegal characters detected' };
+  }
+  
   // Handle "RCPT TO:" already in the args
   let cleanArgs = args;
   if (args.toUpperCase().startsWith('RCPT TO')) {
@@ -187,6 +252,12 @@ export function validateEhlo(args: string): {
     return { isValid: false, errorMessage: 'Missing domain name' };
   }
   
+  // Check for header injection attempts
+  if (detectHeaderInjection(args)) {
+    SmtpLogger.warn('Header injection attempt detected in EHLO command', { args });
+    return { isValid: false, errorMessage: 'Invalid domain name format' };
+  }
+  
   // Extract hostname from EHLO command if present in args
   let hostname = args;
   const match = args.match(/^(?:EHLO|HELO)\s+([^\s]+)$/i);