From a851912f9367c4df459f4e79cf92c6a27a757ccd Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 1 Feb 2024 18:52:42 +0000
Subject: [PATCH] fix(deps): update dependency nodemailer to v6.9.9 [security]
 (#6104)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [nodemailer](https://nodemailer.com/)
([source](https://togithub.com/nodemailer/nodemailer)) | [`6.9.8` ->
`6.9.9`](https://renovatebot.com/diffs/npm/nodemailer/6.9.8/6.9.9) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/nodemailer/6.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/nodemailer/6.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/nodemailer/6.9.8/6.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/nodemailer/6.9.8/6.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[GHSA-9h6g-pr28-7cqp](https://togithub.com/nodemailer/nodemailer/security/advisories/GHSA-9h6g-pr28-7cqp)

### Summary
A ReDoS vulnerability occurs when nodemailer tries to parse img files
with the parameter `attachDataUrls` set, causing the stuck of event
loop.
Another flaw was found when nodemailer tries to parse an attachments
with a embedded file, causing the stuck of event loop.

### Details

Regex: /^data:((?:[^;]*;)*(?:[^,]*)),(.*)$/

Path: compile -> getAttachments -> _processDataUrl

Regex: /(<img\b[^>]* src\s*=[\s"']*)(data:([^;]+);[^"'>\s]+)/

Path: _convertDataImages

### PoC

https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6
https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698

### Impact

ReDoS causes the event loop to stuck a specially crafted evil email can
cause this problem.

---

### Release Notes

<details>
<summary>nodemailer/nodemailer (nodemailer)</summary>

###
[`v6.9.9`](https://togithub.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#699-2024-02-01)

[Compare
Source](https://togithub.com/nodemailer/nodemailer/compare/v6.9.8...v6.9.9)

##### Bug Fixes

- **security:** Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use
eternal matching pattern if only a few occurences are expected
([dd8f5e8](https://togithub.com/nodemailer/nodemailer/commit/dd8f5e8a4ddc99992e31df76bcff9c590035cd4a))
- **tests:** Use native node test runner, added code coverage support,
removed grunt
([#&#8203;1604](https://togithub.com/nodemailer/nodemailer/issues/1604))
([be45c1b](https://togithub.com/nodemailer/nodemailer/commit/be45c1b299d012358d69247019391a02734d70af))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/Unleash/unleash).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 yarn.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/yarn.lock b/yarn.lock
index 4035023fbf..dff1a868fc 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -5246,9 +5246,9 @@ node-releases@^2.0.6:
   integrity sha512-dFSmB8fFHEH/s81Xi+Y/15DQY6VHW81nXRj86EMSL3lmuTmK1e+aT4wrFCkTbm+gSwkw4KpX+rT/pMM2c1mF+A==
 
 nodemailer@^6.5.0:
-  version "6.9.8"
-  resolved "https://registry.yarnpkg.com/nodemailer/-/nodemailer-6.9.8.tgz#29601e80440f2af7aa62b32758fdac7c6b784143"
-  integrity sha512-cfrYUk16e67Ks051i4CntM9kshRYei1/o/Gi8K1d+R34OIs21xdFnW7Pt7EucmVKA0LKtqUGNcjMZ7ehjl49mQ==
+  version "6.9.9"
+  resolved "https://registry.yarnpkg.com/nodemailer/-/nodemailer-6.9.9.tgz#4549bfbf710cc6addec5064dd0f19874d24248d9"
+  integrity sha512-dexTll8zqQoVJEZPwQAKzxxtFn0qTnjdQTchoU6Re9BUUGBJiOy3YMn/0ShTW6J5M0dfQ1NeDeRTTl4oIWgQMA==
 
 noms@0.0.0:
   version "0.0.0"