From c501fb221cbdb83cf8e1c897614b2dbcd27ba802 Mon Sep 17 00:00:00 2001
From: sjaanus <sellinjaanus@gmail.com>
Date: Tue, 1 Nov 2022 09:38:33 +0100
Subject: [PATCH] Hyperlink Injection in People Invitation Emails (#2307)

* Strip special characters

* Allow hyphens
---
 src/lib/services/email-service.test.ts | 21 +++++++++++++++++++++
 src/lib/services/email-service.ts      | 11 ++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/src/lib/services/email-service.test.ts b/src/lib/services/email-service.test.ts
index e5db50ee09..dbb9a36c5c 100644
--- a/src/lib/services/email-service.test.ts
+++ b/src/lib/services/email-service.test.ts
@@ -80,3 +80,24 @@ test('Can supply additional SMTP transport options', async () => {
         },
     });
 });
+
+test('should strip special characters from email subject', async () => {
+    const emailService = new EmailService(
+        {
+            host: 'test',
+            port: 9999,
+            secure: false,
+            sender: 'noreply@getunleash.ai',
+            smtpuser: '',
+            smtppass: '',
+        },
+        noLoggerProvider,
+    );
+    expect(emailService.stripSpecialCharacters('http://evil.com')).toBe(
+        'httpevilcom',
+    );
+    expect(emailService.stripSpecialCharacters('http://ööbik.com')).toBe(
+        'httpööbikcom',
+    );
+    expect(emailService.stripSpecialCharacters('tom-jones')).toBe('tom-jones');
+});
diff --git a/src/lib/services/email-service.ts b/src/lib/services/email-service.ts
index f2307a50ec..f285d0f4fa 100644
--- a/src/lib/services/email-service.ts
+++ b/src/lib/services/email-service.ts
@@ -138,7 +138,12 @@ export class EmailService {
     ): Promise<IEmailEnvelope> {
         if (this.configured()) {
             const year = new Date().getFullYear();
-            const context = { passwordLink, name, year, unleashUrl };
+            const context = {
+                passwordLink,
+                name: this.stripSpecialCharacters(name),
+                year,
+                unleashUrl,
+            };
             const bodyHtml = await this.compileTemplate(
                 'getting-started',
                 TemplateFormat.HTML,
@@ -222,4 +227,8 @@ export class EmailService {
     configured(): boolean {
         return this.sender !== 'not-configured' && this.mailer !== undefined;
     }
+
+    stripSpecialCharacters(str: string): string {
+        return str?.replace(/[`~!@#$%^&*()_|+=?;:'",.<>\{\}\[\]\\\/]/gi, '');
+    }
 }