Skip to content

Commit

Permalink
Fix #164 Fix code scanning alert - Email content injection
Browse files Browse the repository at this point in the history
  • Loading branch information
albinpa authored and georgepadayatti committed Sep 19, 2023
1 parent 5aef7f4 commit e247bfe
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 2 deletions.
3 changes: 3 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ require (
firebase.google.com/go v3.12.1+incompatible // indirect
github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aymerick/douceur v0.2.0 // indirect
github.com/casbin/casbin/v2 v2.77.2 // indirect
github.com/confluentinc/confluent-kafka-go v1.4.2 // indirect
github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect
Expand All @@ -25,8 +26,10 @@ require (
github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
github.com/googleapis/gax-go/v2 v2.12.0 // indirect
github.com/gorilla/context v1.1.1 // indirect
github.com/gorilla/css v1.0.0 // indirect
github.com/gorilla/mux v1.8.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/microcosm-cc/bluemonday v1.0.25 // indirect
github.com/spf13/cobra v1.7.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/tidwall/gjson v1.14.4 // indirect
Expand Down
6 changes: 6 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go
github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
github.com/casbin/casbin/v2 v2.77.2 h1:yQinn/w9x8AswiwqwtrXz93VU48R1aYTXdHEx4RI3jM=
github.com/casbin/casbin/v2 v2.77.2/go.mod h1:mzGx0hYW9/ksOSpw3wNjk3NRAroq5VMFYUQ6G43iGPk=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
Expand Down Expand Up @@ -91,11 +93,15 @@ github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56
github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
github.com/microcosm-cc/bluemonday v1.0.25 h1:4NEwSfiJ+Wva0VxN5B8OwMicaJvD8r9tlJWm9rtloEg=
github.com/microcosm-cc/bluemonday v1.0.25/go.mod h1:ZIOjCQp1OrzBBPIJmfX4qDYFuhU02nx4bn030ixfHLE=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
Expand Down
20 changes: 18 additions & 2 deletions src/email/email.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,12 @@ package email

import (
"fmt"
"html/template"
"log"
"net/smtp"

"github.com/bb-consent/api/src/config"
"github.com/microcosm-cc/bluemonday"
)

// SMTPConfig Smtp configuration
Expand All @@ -23,6 +25,7 @@ func SendWelcomeEmail(username string, firstname string, subject string, body st
auth = smtp.PlainAuth("", SMTPConfig.Username, SMTPConfig.Password, SMTPConfig.Host)

r := NewRequest([]string{username}, subject, body, from)
escapedFirstName := template.HTMLEscapeString(firstname)

emailTemplateString := `<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
Expand Down Expand Up @@ -63,7 +66,7 @@ func SendWelcomeEmail(username string, firstname string, subject string, body st
<tr>
<td></td>
<td width="600" style="font-size: 16px;">
<p style="font-weight: bold;font-size: 16px;color: #000;">Hi ` + firstname + `,</p>
<p style="font-weight: bold;font-size: 16px;color: #000;">Hi ` + escapedFirstName + `,</p>
<div style="color:#8c8a8a">
<p>
We are delighted that you are now registered to iGrant.io. Please check
Expand Down Expand Up @@ -150,12 +153,25 @@ func NewRequest(to []string, subject, body string, from string) *Request {

// SendEmail For sending email
func (r *Request) SendEmail(body string) (bool, error) {

p := bluemonday.UGCPolicy()

p = p.AllowAttrs("border", "cellspacing", "cellpadding", "style").OnElements("table")
p = p.AllowAttrs("align", "style").OnElements("td")
p = p.AllowAttrs("style").Globally()
p = p.AllowAttrs("class", "style", "id", "src").OnElements("img")
p = p.AllowStyles("color", "width", "background-color", "height", "border-radius", "padding", "font-size", "font-weight", "line-height").Globally()

mime := "MIME-version: 1.0;\nContent-Type: text/html; charset=\"UTF-8\";\n\n"
subject := "Subject: " + r.subject + "!\n"
msg := []byte(subject + mime + "\n" + body)

// Sanitize the msg
sanitizedMsg := p.Sanitize(string(msg))

addr := fmt.Sprintf("%s:%d", SMTPConfig.Host, SMTPConfig.Port)

if err := smtp.SendMail(addr, auth, r.from, r.to, msg); err != nil {
if err := smtp.SendMail(addr, auth, r.from, r.to, []byte(sanitizedMsg)); err != nil {
return false, err
}
return true, nil
Expand Down

0 comments on commit e247bfe

Please sign in to comment.