Charon

akanealw/Charon

Fork 0

Commit Graph

Author	SHA1	Message	Date
GitHub Actions	9c04b3c198	fix(security): prevent email header injection (CWE-93) CodeQL flagged critical vulnerabilities in mail_service.go where untrusted input could be used to inject additional email headers via CRLF sequences. Changes: - Add sanitizeEmailHeader() to strip CR, LF, and control characters - Sanitize all header values (from, to, subject) in buildEmail() - Add validateEmailAddress() using net/mail.ParseAddress - Add comprehensive security tests for header injection prevention This addresses the 3 critical CodeQL alerts: - Line 199: buildEmail header construction - Line 260: sendSSL message usage - Line 307: sendSTARTTLS message usage Security: CWE-93 (Improper Neutralization of CRLF Sequences)	2025-12-05 05:02:09 +00:00

Author

SHA1

Message

Date

GitHub Actions

9c04b3c198

fix(security): prevent email header injection (CWE-93)

CodeQL flagged critical vulnerabilities in mail_service.go where
untrusted input could be used to inject additional email headers
via CRLF sequences.

Changes:
- Add sanitizeEmailHeader() to strip CR, LF, and control characters
- Sanitize all header values (from, to, subject) in buildEmail()
- Add validateEmailAddress() using net/mail.ParseAddress
- Add comprehensive security tests for header injection prevention

This addresses the 3 critical CodeQL alerts:
- Line 199: buildEmail header construction
- Line 260: sendSSL message usage
- Line 307: sendSTARTTLS message usage

Security: CWE-93 (Improper Neutralization of CRLF Sequences)

2025-12-05 05:02:09 +00:00

1 Commits