Merge pull request #264 from josecelano/issue-197-fix-regexp-for-emai…

…l-validation Fix security issue with regexp for email validation
nautilus-cyberneering · Jun 8, 2022 · 652c7df · 652c7df
2 parents c4a4659 + 0e2e2e5
commit 652c7df
Show file tree

Hide file tree

Showing 7 changed files with 121 additions and 18 deletions.
diff --git a/__tests__/unit/email-address.test.ts b/__tests__/unit/email-address.test.ts
@@ -30,22 +30,19 @@ describe('EmailAddress', () => {
   })
 
   it('should validate email addresses', () => {
+    const account = 'c'.repeat(63)
+    const host = 'c'.repeat(63)
+    const domain = 'c'.repeat(63)
+    const address = `${host}.${domain}`
+    const maxSizeEmail = `${account}@${address}`
+    const maliciousDoSAttackEmail = `xxx${account}@$xxx${address}`
+
     const validEmails = [
       'Abc@example.com',
-      'Abc@example.com.',
-      'Abc@10.42.0.1',
-      'user@localserver',
       'Abc.123@example.com',
       'user+mailbox/department=shipping@example.com',
-      '"very.(),:;<>[]".VERY."very@\\ "very".unusual"@strange.example.com',
       "!#$%&'*+-/=?^_`.{|}~@example.com",
-      '"()<>[]:,;@\\"!#$%&\'-/=?^_`{}| ~.a"@example.org',
-      '"Abc@def"@example.com',
-      '"Fred Bloggs"@example.com',
-      '"Joe.\\Blow"@example.com',
-      'Loïc.Accentué@voilà.fr',
-      'user@[IPv6:2001:DB8::1]',
-      '" "@example.org'
+      maxSizeEmail
     ]
 
     for (const email of validEmails) {
@@ -59,7 +56,19 @@ describe('EmailAddress', () => {
       'this is"notallowed@example.com',
       'this still"not\\allowed@example.com',
       'john..doe@example.com',
-      'john.doe@example..com'
+      'john.doe@example..com',
+      'Abc@example.com.',
+      'Abc@10.42.0.1',
+      'user@localserver',
+      '"very.(),:;<>[]".VERY."very@\\ "very".unusual"@strange.example.com',
+      '"()<>[]:,;@\\"!#$%&\'-/=?^_`{}| ~.a"@example.org',
+      '"Abc@def"@example.com',
+      '"Fred Bloggs"@example.com',
+      '"Joe.\\Blow"@example.com',
+      'Loïc.Accentué@voilà.fr',
+      'user@[IPv6:2001:DB8::1]',
+      '" "@example.org',
+      maliciousDoSAttackEmail
     ]
 
     for (const email of invalidEmails) {

diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/dist/licenses.txt b/dist/licenses.txt
diff --git a/package.json b/package.json
@@ -32,6 +32,7 @@
     "@actions/core": "^1.6.0",
     "@actions/exec": "^1.1.1",
     "ajv": "^8.11.0",
+    "email-validator": "^2.0.4",
     "simple-git": "^3.7.0"
   },
   "devDependencies": {

diff --git a/src/email-address.ts b/src/email-address.ts
@@ -1,3 +1,5 @@
+import * as EmailValidator from 'email-validator'
+
 /*
  * Wrapper for RFC5322 email address.
  *
@@ -85,7 +87,5 @@ export class EmailAddress {
 }
 
 export function emailIsValid(email: string): boolean {
-  return /^(([^<>()[\].,;:\s@"]+(\.[^<>()[\].,;:\s@"]+)*)|(".+"))@(([^<>().,;\s@"]+\.{0,1})+([^<>().,;:\s@"]{2,}|[\d.]+))$/.test(
-    email
-  )
+  return EmailValidator.validate(email)
 }
diff --git a/yarn.lock b/yarn.lock
@@ -1357,6 +1357,11 @@ electron-to-chromium@^1.4.147:
   resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.4.147.tgz#1ecf318737b21ba1e5b53319eb1edf8143892270"
   integrity sha512-czclPqxLMPqPMkahKcske4TaS5lcznsc26ByBlEFDU8grTBVK9C5W6K9I6oEEhm4Ai4jTihGnys90xY1yjXcRg==
 
+email-validator@^2.0.4:
+  version "2.0.4"
+  resolved "https://registry.yarnpkg.com/email-validator/-/email-validator-2.0.4.tgz#b8dfaa5d0dae28f1b03c95881d904d4e40bfe7ed"
+  integrity sha512-gYCwo7kh5S3IDyZPLZf6hSS0MnZT8QmJFqYvbqlDZSbwdZlY6QZWxJ4i/6UhITOJ4XzyI647Bm2MXKCLqnJ4nQ==
+
 emittery@^0.8.1:
   version "0.8.1"
   resolved "https://registry.yarnpkg.com/emittery/-/emittery-0.8.1.tgz#bb23cc86d03b30aa75a7f734819dee2e1ba70860"