-
Notifications
You must be signed in to change notification settings - Fork 937
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
SMTP security: prevent command injection via To/From addresses
Validate addresses passed as SMTP command arguments to prevent injection of other SMTP commands. Disallow line breaks and very long addresses which may cause overflows on some old SMTP servers. Ruby 2.4 Net::SMTP already disallows addresses that contain newlines. Enforce this validation in Mail to cover older Ruby versions and other SMTP implementations that don't validate input. SMTP injection whitepaper: http://www.mbsd.jp/Whitepaper/smtpi.pdf Ruby security report: https://hackerone.com/reports/137631 OSVDB entry: https://rubysec.com/advisories/mail-OSVDB-131677 Closes #1098
- Loading branch information
Showing
13 changed files
with
135 additions
and
54 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,8 @@ | ||
== Version 2.6.6 - unreleased | ||
|
||
Security: | ||
* #1097 – SMTP security: prevent command injection via To/From addresses. (jeremy) | ||
|
||
== Version 2.6.5 - 2017-04-26 Jeremy Daer <[email protected]> | ||
|
||
Features: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,21 +1,58 @@ | ||
# frozen_string_literal: true | ||
module Mail | ||
module CheckDeliveryParams | ||
def check_delivery_params(mail) | ||
if Utilities.blank?(mail.smtp_envelope_from) | ||
raise ArgumentError.new('An SMTP From address is required to send a message. Set the message smtp_envelope_from, return_path, sender, or from address.') | ||
module CheckDeliveryParams #:nodoc: | ||
class << self | ||
def check(mail) | ||
[ check_from(mail.smtp_envelope_from), | ||
check_to(mail.smtp_envelope_to), | ||
check_message(mail) ] | ||
end | ||
|
||
if Utilities.blank?(mail.smtp_envelope_to) | ||
raise ArgumentError.new('An SMTP To address is required to send a message. Set the message smtp_envelope_to, to, cc, or bcc address.') | ||
def check_from(addr) | ||
if Utilities.blank?(addr) | ||
raise ArgumentError, "SMTP From address may not be blank: #{addr.inspect}" | ||
end | ||
|
||
check_addr 'From', addr | ||
end | ||
|
||
def check_to(addrs) | ||
if Utilities.blank?(addrs) | ||
raise ArgumentError, "SMTP To address may not be blank: #{addrs.inspect}" | ||
end | ||
|
||
Array(addrs).map do |addr| | ||
check_addr 'To', addr | ||
end | ||
end | ||
|
||
message = mail.encoded if mail.respond_to?(:encoded) | ||
if Utilities.blank?(message) | ||
raise ArgumentError.new('An encoded message is required to send an email') | ||
def check_addr(addr_name, addr) | ||
validate_smtp_addr addr do |error_message| | ||
raise ArgumentError, "SMTP #{addr_name} address #{error_message}: #{addr.inspect}" | ||
end | ||
end | ||
|
||
[mail.smtp_envelope_from, mail.smtp_envelope_to, message] | ||
def validate_smtp_addr(addr) | ||
if addr.bytesize > 2048 | ||
yield 'may not exceed 2kB' | ||
end | ||
|
||
if /[\r\n]/ =~ addr | ||
yield 'may not contain CR or LF line breaks' | ||
end | ||
|
||
addr | ||
end | ||
|
||
def check_message(message) | ||
message = message.encoded if message.respond_to?(:encoded) | ||
|
||
if Utilities.blank?(message) | ||
raise ArgumentError, 'An encoded message is required to send an email' | ||
end | ||
|
||
message | ||
end | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -191,7 +191,7 @@ def redefine_verify_none(new_value) | |
subject "Email with no sender" | ||
body "body" | ||
end | ||
end.to raise_error('An SMTP From address is required to send a message. Set the message smtp_envelope_from, return_path, sender, or from address.') | ||
end.to raise_error('SMTP From address may not be blank: nil') | ||
end | ||
|
||
it "should raise an error if no recipient if defined" do | ||
|
@@ -201,8 +201,63 @@ def redefine_verify_none(new_value) | |
subject "Email with no recipient" | ||
body "body" | ||
end | ||
end.to raise_error('An SMTP To address is required to send a message. Set the message smtp_envelope_to, to, cc, or bcc address.') | ||
end.to raise_error('SMTP To address may not be blank: []') | ||
end | ||
end | ||
|
||
it "should raise on SMTP injection via MAIL FROM newlines" do | ||
addr = "[email protected]>\r\nDATA" | ||
|
||
mail = Mail.new do | ||
from addr | ||
to "[email protected]" | ||
end | ||
|
||
# Mail 2.6.x header unfolding collapses whitespace, avoiding | ||
# SMTP injection as a side effect. | ||
expect(mail.smtp_envelope_from).to eq addr.gsub(/[\r\n]+/, ' ') | ||
end | ||
|
||
it "should raise on SMTP injection via RCPT TO newlines" do | ||
addr = "[email protected]>\r\nDATA" | ||
|
||
mail = Mail.new do | ||
from "[email protected]" | ||
to addr | ||
end | ||
|
||
# Mail 2.6.x header unfolding collapses whitespace, avoiding | ||
# SMTP injection as a side effect. | ||
expect(mail.smtp_envelope_to).to eq [addr.gsub(/[\r\n]+/, ' ')] | ||
end | ||
|
||
it "should raise on SMTP injection via MAIL FROM overflow" do | ||
addr = "[email protected]#{'m' * 2025}DATA" | ||
|
||
mail = Mail.new do | ||
from addr | ||
to "[email protected]" | ||
end | ||
|
||
expect(mail.smtp_envelope_from).to eq addr | ||
|
||
expect do | ||
mail.deliver | ||
end.to raise_error(ArgumentError, "SMTP From address may not exceed 2kB: #{addr.inspect}") | ||
end | ||
|
||
it "should raise on SMTP injection via RCPT TO overflow" do | ||
addr = "[email protected]#{'m' * 2027}DATA" | ||
|
||
mail = Mail.new do | ||
from "[email protected]" | ||
to addr | ||
end | ||
|
||
expect(mail.smtp_envelope_to).to eq [addr] | ||
|
||
expect do | ||
mail.deliver | ||
end.to raise_error(ArgumentError, "SMTP To address may not exceed 2kB: #{addr.inspect}") | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters