diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-26 03:14:54 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-26 03:14:54 +0300 |
| commit | a40d39ddd2dce862f95d35c42a07c0fce4df8f0a (patch) | |
| tree | 4c7f8b0898c57f1e0973b22729e01f8508388562 /lib/gitlab/email | |
| parent | ffe8b982e9d93ed23817a4bd9696ef1ef59de9f9 (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib/gitlab/email')
| -rw-r--r-- | lib/gitlab/email/hook/validate_addresses_interceptor.rb | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/lib/gitlab/email/hook/validate_addresses_interceptor.rb b/lib/gitlab/email/hook/validate_addresses_interceptor.rb new file mode 100644 index 00000000000..e63f047e63d --- /dev/null +++ b/lib/gitlab/email/hook/validate_addresses_interceptor.rb @@ -0,0 +1,32 @@ +# frozen_string_literal: true + +module Gitlab + module Email + module Hook + # Check for unsafe characters in the envelope-from and -to addresses. + # These are passed directly as arguments to sendmail and are liable to shell injection attacks: + # https://github.com/mikel/mail/blob/2.7.1/lib/mail/network/delivery_methods/sendmail.rb#L53-L58 + class ValidateAddressesInterceptor + UNSAFE_CHARACTERS = /(\\|[^[:print:]])/.freeze + + def self.delivering_email(message) + addresses = Array(message.smtp_envelope_from) + Array(message.smtp_envelope_to) + + addresses.each do |address| + next unless address.match?(UNSAFE_CHARACTERS) + + Gitlab::AuthLogger.info( + message: 'Skipping email with unsafe characters in address', + address: address, + subject: message.subject + ) + + message.perform_deliveries = false + + break + end + end + end + end + end +end |