33 lines
1,003 B
Ruby
33 lines
1,003 B
Ruby
# frozen_string_literal: true
|
|
|
|
module Gitlab
|
|
module Email
|
|
module Hook
|
|
# Check for unsafe characters in the envelope-from and -to addresses.
|
|
# These are passed directly as arguments to sendmail and are liable to shell injection attacks:
|
|
# https://github.com/mikel/mail/blob/2.7.1/lib/mail/network/delivery_methods/sendmail.rb#L53-L58
|
|
class ValidateAddressesInterceptor
|
|
UNSAFE_CHARACTERS = /(\\|[^[:print:]])/.freeze
|
|
|
|
def self.delivering_email(message)
|
|
addresses = Array(message.smtp_envelope_from) + Array(message.smtp_envelope_to)
|
|
|
|
addresses.each do |address|
|
|
next unless address.match?(UNSAFE_CHARACTERS)
|
|
|
|
Gitlab::AuthLogger.info(
|
|
message: 'Skipping email with unsafe characters in address',
|
|
address: address,
|
|
subject: message.subject
|
|
)
|
|
|
|
message.perform_deliveries = false
|
|
|
|
break
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|