blob: e63f047e63dccd0263f6e164b4d993026b27dc87 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
# frozen_string_literal: true
module Gitlab
module Email
module Hook
# Check for unsafe characters in the envelope-from and -to addresses.
# These are passed directly as arguments to sendmail and are liable to shell injection attacks:
# https://github.com/mikel/mail/blob/2.7.1/lib/mail/network/delivery_methods/sendmail.rb#L53-L58
class ValidateAddressesInterceptor
UNSAFE_CHARACTERS = /(\\|[^[:print:]])/.freeze
def self.delivering_email(message)
addresses = Array(message.smtp_envelope_from) + Array(message.smtp_envelope_to)
addresses.each do |address|
next unless address.match?(UNSAFE_CHARACTERS)
Gitlab::AuthLogger.info(
message: 'Skipping email with unsafe characters in address',
address: address,
subject: message.subject
)
message.perform_deliveries = false
break
end
end
end
end
end
end
|