diff --git a/.github/workflows/notify_enterprise.yaml b/.github/workflows/notify_enterprise.yaml index cedcb0aada..e70d7c4303 100644 --- a/.github/workflows/notify_enterprise.yaml +++ b/.github/workflows/notify_enterprise.yaml @@ -24,12 +24,6 @@ jobs: steps: - uses: actions/checkout@v3 - - run: | - echo "github.event.head_commit.committer.name: ${{ github.event.head_commit.committer.name }}" - echo "github.event.head_commit.committer.email: ${{ github.event.head_commit.committer.email }}" - echo "github.actor: ${{ github.actor }}" - echo "github.event.commits[0].author.name ${{ github.event.commits[0].author.name }}" - echo "github.event.commits[0].author.email ${{ github.event.commits[0].author.email }}" - name: Trigger sync uses: actions/github-script@v6 with: diff --git a/src/lib/util/is-email.ts b/src/lib/util/is-email.ts index b0be238957..3f83a09fc8 100644 --- a/src/lib/util/is-email.ts +++ b/src/lib/util/is-email.ts @@ -5,11 +5,19 @@ const matcher = /** * Loosely validate an email address. + * Max length of an email address is 320 characters: 64 for the local part + 1 for the @ + + * 255 for the domain part. + * See https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.3.1.1 + * + * Being a bit extra cautious here and limiting the max length to 500 characters, which prevents + * [Regular expression Denial of Service - ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) attacks + * due to polynomial regular expression used on uncontrolled data. * * @param {string} string * @return {boolean} */ function isEmail(value: string): boolean { + if (value.length > 500) return false; return matcher.test(value); }