nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-06 05:28:15 -05:00
Code

addressed bugs and concerns around special characters in email templates (#1478)

Browse Source 
* addressed bugs and concerns around special characters in email templates

* Modified email sanitization rules
This commit is contained in:
Addison Beck 2021-07-21 12:43:28 -04:00 committed by GitHub
parent f1238d7b4a
commit 8e97b924d4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/Core/Services/Implementations/HandlebarsMailService.cs
View File

@ -151,7 +151,7 @@ namespace Bit.Core.Services
var model = new OrganizationUserAcceptedViewModel var model = new OrganizationUserAcceptedViewModel
{ {
OrganizationId = organization.Id, OrganizationId = organization.Id,
OrganizationName = CoreHelpers.SanitizeForEmail(organization.Name), OrganizationName = CoreHelpers.SanitizeForEmail(organization.Name, false),
UserIdentifier = userIdentifier, UserIdentifier = userIdentifier,
WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash, WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
SiteName = _globalSettings.SiteName SiteName = _globalSettings.SiteName
@ -166,7 +166,7 @@ namespace Bit.Core.Services
var message = CreateDefaultMessage($"You Have Been Confirmed To {organizationName}", email); var message = CreateDefaultMessage($"You Have Been Confirmed To {organizationName}", email);
var model = new OrganizationUserConfirmedViewModel var model = new OrganizationUserConfirmedViewModel
{ {
OrganizationName = CoreHelpers.SanitizeForEmail(organizationName), OrganizationName = CoreHelpers.SanitizeForEmail(organizationName, false),
WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash, WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
SiteName = _globalSettings.SiteName SiteName = _globalSettings.SiteName
}; };
@ -189,7 +189,7 @@ namespace Bit.Core.Services
var messageModels = invites.Select(invite => CreateMessage(invite.orgUser.Email, var messageModels = invites.Select(invite => CreateMessage(invite.orgUser.Email,
new OrganizationUserInvitedViewModel new OrganizationUserInvitedViewModel
{ {
OrganizationName = CoreHelpers.SanitizeForEmail(organizationName), OrganizationName = CoreHelpers.SanitizeForEmail(organizationName, false),
Email = WebUtility.UrlEncode(invite.orgUser.Email), Email = WebUtility.UrlEncode(invite.orgUser.Email),
OrganizationId = invite.orgUser.OrganizationId.ToString(), OrganizationId = invite.orgUser.OrganizationId.ToString(),
OrganizationUserId = invite.orgUser.Id.ToString(), OrganizationUserId = invite.orgUser.Id.ToString(),
@ -209,7 +209,7 @@ namespace Bit.Core.Services
var message = CreateDefaultMessage($"You have been removed from {organizationName}", email); var message = CreateDefaultMessage($"You have been removed from {organizationName}", email);
var model = new OrganizationUserRemovedForPolicyTwoStepViewModel var model = new OrganizationUserRemovedForPolicyTwoStepViewModel
{ {
OrganizationName = CoreHelpers.SanitizeForEmail(organizationName), OrganizationName = CoreHelpers.SanitizeForEmail(organizationName, false),
WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash, WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
SiteName = _globalSettings.SiteName SiteName = _globalSettings.SiteName
}; };
@ -302,7 +302,7 @@ namespace Bit.Core.Services
var message = CreateDefaultMessage("License Expired", emails); var message = CreateDefaultMessage("License Expired", emails);
var model = new LicenseExpiredViewModel var model = new LicenseExpiredViewModel
{ {
OrganizationName = organizationName, OrganizationName = CoreHelpers.SanitizeForEmail(organizationName, false),
}; };
await AddMessageContentAsync(message, "LicenseExpired", model); await AddMessageContentAsync(message, "LicenseExpired", model);
message.Category = "LicenseExpired"; message.Category = "LicenseExpired";
@ -349,7 +349,7 @@ namespace Bit.Core.Services
var message = CreateDefaultMessage($"You have been removed from {organizationName}", email); var message = CreateDefaultMessage($"You have been removed from {organizationName}", email);
var model = new OrganizationUserRemovedForPolicySingleOrgViewModel var model = new OrganizationUserRemovedForPolicySingleOrgViewModel
{ {
OrganizationName = CoreHelpers.SanitizeForEmail(organizationName), OrganizationName = CoreHelpers.SanitizeForEmail(organizationName, false),
WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash, WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
SiteName = _globalSettings.SiteName SiteName = _globalSettings.SiteName
}; };

18
src/Core/Utilities/CoreHelpers.cs
View File

@ -555,12 +555,20 @@ namespace Bit.Core.Utilities
return sb.ToString(); return sb.ToString();
} }
public static string SanitizeForEmail(string value) public static string SanitizeForEmail(string value, bool htmlEncode = true)
{ {
var cleanedValue = value.Replace("@", "[at]") var cleanedValue = value.Replace("@", "[at]");
.Replace("http://", string.Empty) var regexOptions = RegexOptions.CultureInvariant |
.Replace("https://", string.Empty); RegexOptions.Singleline |
return HttpUtility.HtmlEncode(cleanedValue); RegexOptions.IgnoreCase;
cleanedValue = Regex.Replace(cleanedValue, @"(\.\w)",
m => string.Concat("[dot]", m.ToString().Last()), regexOptions);
while (Regex.IsMatch(cleanedValue, @"((^|\b)(\w*)://)", regexOptions))
{
cleanedValue = Regex.Replace(cleanedValue, @"((^|\b)(\w*)://)",
string.Empty, regexOptions);
}
return htmlEncode ? HttpUtility.HtmlEncode(cleanedValue) : cleanedValue;
} }
public static string DateTimeToTableStorageKey(DateTime? date = null) public static string DateTimeToTableStorageKey(DateTime? date = null)