From 661cbf2b917735ed5edbf643ad6c595db9fa758a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gast=C3=B3n=20Fournier?= Date: Wed, 5 Jul 2023 11:51:27 +0200 Subject: [PATCH] fix: some security vulnerabilities (#4143) ## About the changes This should address: https://github.com/Unleash/unleash/security/code-scanning/1, https://github.com/Unleash/unleash/security/code-scanning/49 and https://github.com/Unleash/unleash/security/code-scanning/52 Refs: - https://securitylab.github.com/research/github-actions-untrusted-input/ - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS - https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.3.1.1 --------- Co-authored-by: Christopher Kolstad --- .github/workflows/notify_enterprise.yaml | 6 ------ src/lib/util/is-email.ts | 8 ++++++++ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/notify_enterprise.yaml b/.github/workflows/notify_enterprise.yaml index cedcb0aada..e70d7c4303 100644 --- a/.github/workflows/notify_enterprise.yaml +++ b/.github/workflows/notify_enterprise.yaml @@ -24,12 +24,6 @@ jobs: steps: - uses: actions/checkout@v3 - - run: | - echo "github.event.head_commit.committer.name: ${{ github.event.head_commit.committer.name }}" - echo "github.event.head_commit.committer.email: ${{ github.event.head_commit.committer.email }}" - echo "github.actor: ${{ github.actor }}" - echo "github.event.commits[0].author.name ${{ github.event.commits[0].author.name }}" - echo "github.event.commits[0].author.email ${{ github.event.commits[0].author.email }}" - name: Trigger sync uses: actions/github-script@v6 with: diff --git a/src/lib/util/is-email.ts b/src/lib/util/is-email.ts index b0be238957..3f83a09fc8 100644 --- a/src/lib/util/is-email.ts +++ b/src/lib/util/is-email.ts @@ -5,11 +5,19 @@ const matcher = /** * Loosely validate an email address. + * Max length of an email address is 320 characters: 64 for the local part + 1 for the @ + + * 255 for the domain part. + * See https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.3.1.1 + * + * Being a bit extra cautious here and limiting the max length to 500 characters, which prevents + * [Regular expression Denial of Service - ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) attacks + * due to polynomial regular expression used on uncontrolled data. * * @param {string} string * @return {boolean} */ function isEmail(value: string): boolean { + if (value.length > 500) return false; return matcher.test(value); }