1 files changed, 32 insertions, 0 deletions

diff --git a/lib/gitlab/email/hook/validate_addresses_interceptor.rb b/lib/gitlab/email/hook/validate_addresses_interceptor.rb
new file mode 100644
index 00000000000..e63f047e63d
--- /dev/null
+++ b/lib/gitlab/email/hook/validate_addresses_interceptor.rb
@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Email
+    module Hook
+      # Check for unsafe characters in the envelope-from and -to addresses.
+      # These are passed directly as arguments to sendmail and are liable to shell injection attacks:
+      # https://github.com/mikel/mail/blob/2.7.1/lib/mail/network/delivery_methods/sendmail.rb#L53-L58
+      class ValidateAddressesInterceptor
+        UNSAFE_CHARACTERS = /(\\|[^[:print:]])/.freeze
+
+        def self.delivering_email(message)
+          addresses = Array(message.smtp_envelope_from) + Array(message.smtp_envelope_to)
+
+          addresses.each do |address|
+            next unless address.match?(UNSAFE_CHARACTERS)
+
+            Gitlab::AuthLogger.info(
+              message: 'Skipping email with unsafe characters in address',
+              address: address,
+              subject: message.subject
+            )
+
+            message.perform_deliveries = false
+
+            break
+          end
+        end
+      end
+    end
+  end
+end