Fixes for StrictEmailAddressAttribute (#1474)

* Use StrictEmail validation for changing email

* Add trailing symbols to illegal chars in emails

* Add semicolon as always illegal

* Replace regex with MimeKit parsing, add unit test

* Add more unit tests

* Fix linting

src/Core/Models/Api/Request/Accounts/EmailTokenRequestModel.cs

@@ -1,11 +1,12 @@
 using System.ComponentModel.DataAnnotations;
+using Bit.Core.Utilities;
 
 namespace Bit.Core.Models.Api
 {
     public class EmailTokenRequestModel
     {
         [Required]
-        [EmailAddress]
+        [StrictEmailAddress]
         [StringLength(256)]
         public string NewEmail { get; set; }
         [Required]

src/Core/Utilities/StrictEmailAddressAttribute.cs

@@ -1,6 +1,5 @@
-using System;
-using System.ComponentModel.DataAnnotations;
-using System.Text.RegularExpressions;
+using System.ComponentModel.DataAnnotations;
+using MimeKit;
 
 namespace Bit.Core.Utilities
 {
@@ -18,12 +17,19 @@ namespace Bit.Core.Utilities
                 return false;
             }
 
-            var illegalChars = @"[\s<>()]";
-            if (Regex.IsMatch(emailAddress, illegalChars))
+            try
+            {
+                var parsedEmailAddress = MailboxAddress.Parse(emailAddress).Address;
+                if (parsedEmailAddress != emailAddress)
+                {
+                    return false;
+                }
+            }
+            catch (ParseException e)
             {
                 return false;
             }
-             
+
             return new EmailAddressAttribute().IsValid(emailAddress);
         }
     }

test/Core.Test/Utilities/StrictEmailAddressAttributeTests.cs

@@ -0,0 +1,51 @@
+using Bit.Core.Utilities;
+using Xunit;
+
+namespace Bit.Core.Test.Utilities
+{
+    public class StrictEmailAttributeTests
+    {
+        [Theory]
+        [InlineData("hello@world.com")]         // regular email address
+        [InlineData("hello@world.planet.com")]  // subdomain
+        [InlineData("hello+1@world.com")]       // alias
+        [InlineData("hello.there@world.com")]   // period in local-part
+        public void IsValid_ReturnsTrueWhenValid(string email)
+        {
+            var sut = new StrictEmailAddressAttribute();
+
+            var actual = sut.IsValid(email);
+            
+            Assert.True(actual);
+        }
+        
+        [Theory]
+        [InlineData(null)]                          // null
+        [InlineData("hello@world.com\t")]           // trailing tab char
+        [InlineData("\thello@world.com")]           // leading tab char
+        [InlineData("hel\tlo@world.com")]           // local-part tab char
+        [InlineData("hello@world.com\b")]           // trailing backspace char
+        [InlineData("\"   \"hello@world.com")]      // leading spaces in quotes
+        [InlineData("hello@world.com\"    \"")]     // trailing spaces in quotes
+        [InlineData("hel\"   \"lo@world.com")]      // local-part spaces in quotes
+        [InlineData("hello there@world.com")]       // unescaped unquoted spaces
+        [InlineData("Hello <hello@world.com>")]     // friendly from
+        [InlineData("<hello@world.com>")]           // wrapped angle brackets
+        [InlineData("hello(com)there@world.com")]   // comment
+        [InlineData("hello@world.com.")]            // trailing period
+        [InlineData(".hello@world.com")]            // leading period
+        [InlineData("hello@world.com;")]            // trailing semicolon
+        [InlineData(";hello@world.com")]            // leading semicolon
+        [InlineData("hello@world.com; hello@world.com")]    // semicolon separated list
+        [InlineData("hello@world.com, hello@world.com")]    // comma separated list
+
+        public void IsValid_ReturnsFalseWhenInvalid(string email)
+        {
+            var sut = new StrictEmailAddressAttribute();
+
+            var actual = sut.IsValid(email);
+            
+            Assert.False(actual);
+        }
+    }
+}