RubyGems - mailcatcher-ng - Versions diffs - 1.5.6 → 1.5.7 - Mend

mailcatcher-ng 1.5.6 → 1.5.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/mail_catcher/version.rb +1 -1
data/lib/mail_catcher/web/application.rb +129 -18
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3ee8fa5604d4a8a9fa508ba5f4c0ae42f0fbef6518eca7d965f0e22589a6dc11
-  data.tar.gz: 5458a59890d42c974e198fa6b0c446082c105f1c300d7fc4cdb4f763ee305134
+  metadata.gz: 7ebd7047c9f071ee748d83a3d3b1cbe961c932a00b87b590293905d5dd31c183
+  data.tar.gz: 6003d4d52ec43a584d9be2e42e27c99db46344fd36f574e0425afebfdc721a7b
 SHA512:
-  metadata.gz: 1ae6e0bed271235f98a24551cd21461034a2d347f8235cb5abeb4d0540e7b1c622ee314d9653711f0fde1152a24eb4a110dd5d1f054eafda474c91f861dda660
-  data.tar.gz: 205715ec3a806a72a8538cbd3d770a2a9c6d793923b423c711de8010583fd7c15bc8da3da4b31bf1a71edf600bde4dd3a68bafd76c198294457117fb8fd25939
+  metadata.gz: ca3f6e06e9ca31c17f82b5b342ba27c9d66efca42feac6f8ab80623200ec111ce839cb5954b92851577f31f1386ed3e1ba6cd084345fb14ec8b6e002cb3b147f
+  data.tar.gz: d3693df74e695a5826121b9a6ad3c78820bf34717baae6b62f449a723c0290263f3672cc73d1de70fc084b9552d9b68e3ef7648a1976005f6660aa0fe461388e

data/lib/mail_catcher/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module MailCatcher
-  VERSION = '1.5.6'
+  VERSION = '1.5.7'
 end

data/lib/mail_catcher/web/application.rb CHANGED Viewed

@@ -2,6 +2,8 @@
 require "pathname"
 require "net/http"
+require "openssl"
+require "ipaddr"
 require "uri"
 require "faye/websocket"
@@ -34,6 +36,13 @@ end
 module MailCatcher
   module Web
     class Application < Sinatra::Base
+      class RemoteResourceTooLarge < StandardError; end
+      REMOTE_RESOURCE_MAX_BYTES = 5 * 1024 * 1024
+      REMOTE_RESOURCE_OPEN_TIMEOUT = 3
+      REMOTE_RESOURCE_READ_TIMEOUT = 5
+      REMOTE_RESOURCE_MAX_REDIRECTS = 3
       set :environment, MailCatcher.env
       set :prefix, MailCatcher.options[:http_path]
       set :asset_prefix, File.join(prefix, "assets")
@@ -226,6 +235,95 @@ module MailCatcher
         end
       end
+      helpers do
+        def valid_message_id!(id)
+          message_id = Integer(id)
+          halt 400, "Invalid message id" if message_id.negative?
+          message_id
+        rescue ArgumentError, TypeError
+          halt 400, "Invalid message id"
+        end
+        def remote_resource_proxy_url(url)
+          "/resources/proxy?url=#{URI.encode_www_form_component(url)}"
+        end
+        def external_http_url?(raw_url)
+          uri = URI.parse(raw_url)
+          uri.is_a?(URI::HTTP) && uri.host && uri.host != ""
+        rescue URI::InvalidURIError
+          false
+        end
+        def safe_remote_host?(host)
+          return false if host.nil? || host.empty?
+          return false if host == "localhost"
+          ip = IPAddr.new(host)
+          !ip.loopback? && !ip.private? && !ip.link_local?
+        rescue IPAddr::InvalidAddressError
+          require "resolv"
+          addresses = Resolv.getaddresses(host)
+          return false if addresses.empty?
+          addresses.all? do |address|
+            ip = IPAddr.new(address)
+            !ip.loopback? && !ip.private? && !ip.link_local?
+          rescue IPAddr::InvalidAddressError
+            false
+          end
+        end
+        def rewrite_html_for_preview(html)
+          doc = Nokogiri::HTML::DocumentFragment.parse(html.to_s)
+          doc.css("img[src], source[src], iframe[src], video[src], audio[src], object[data], embed[src]").each do |node|
+            attr_name = node.name == "object" ? "data" : (node["src"] ? "src" : "href")
+            raw_url = node[attr_name]
+            next unless raw_url
+            next unless external_http_url?(raw_url)
+            node[attr_name] = remote_resource_proxy_url(raw_url)
+          end
+          doc.to_html
+        end
+        def fetch_remote_resource(url, depth = 0)
+          raise Sinatra::BadRequest, "Invalid URL" unless external_http_url?(url)
+          raise Sinatra::BadRequest, "Too many redirects" if depth > REMOTE_RESOURCE_MAX_REDIRECTS
+          uri = URI.parse(url)
+          raise Sinatra::BadRequest, "Unsafe remote host" unless safe_remote_host?(uri.host)
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = uri.scheme == "https"
+          http.open_timeout = REMOTE_RESOURCE_OPEN_TIMEOUT
+          http.read_timeout = REMOTE_RESOURCE_READ_TIMEOUT
+          http.verify_mode = OpenSSL::SSL::VERIFY_PEER if http.use_ssl?
+          response = http.request(Net::HTTP::Get.new(uri.request_uri))
+          case response
+          when Net::HTTPSuccess
+            body = +""
+            response.read_body do |chunk|
+              body << chunk
+              raise RemoteResourceTooLarge if body.bytesize > REMOTE_RESOURCE_MAX_BYTES
+            end
+            [response["content-type"], body]
+          when Net::HTTPRedirection
+            location = response["location"]
+            raise Sinatra::BadRequest, "Redirect missing location" unless location
+            next_url = URI.parse(location).absolute? ? location : uri.merge(location).to_s
+            fetch_remote_resource(next_url, depth + 1)
+          else
+            halt response.code.to_i, response.message
+          end
+        end
+      end
       get "/" do
         @version = MailCatcher::VERSION
         erb :index
@@ -400,7 +498,7 @@ module MailCatcher
       end
       get "/messages/:id.json" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         if message = Mail.message(id)
           content_type :json
           JSON.generate(message.merge({
@@ -425,7 +523,7 @@ module MailCatcher
       end
       get "/messages/:id.html" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         if part = Mail.message_part_html(id)
           content_type :html, :charset => (part["charset"] || "utf8")
@@ -433,6 +531,7 @@ module MailCatcher
           # Rewrite body to link to embedded attachments served by cid
           body = body.gsub /cid:([^'"> ]+)/, "#{id}/parts/\\1"
+          body = rewrite_html_for_preview(body)
           body
         else
@@ -441,7 +540,7 @@ module MailCatcher
       end
       get "/messages/:id.plain" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         if part = Mail.message_part_plain(id)
           content_type part["type"], :charset => (part["charset"] || "utf8")
           part["body"]
@@ -451,7 +550,7 @@ module MailCatcher
       end
       get "/messages/:id.source" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         if message_source = Mail.message_source(id)
           content_type "text/plain"
           message_source
@@ -461,7 +560,7 @@ module MailCatcher
       end
       get "/messages/:id.eml" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         if message_source = Mail.message_source(id)
           content_type "message/rfc822"
           message_source
@@ -471,7 +570,7 @@ module MailCatcher
       end
       get "/messages/:id/transcript.json" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         if transcript = Mail.message_transcript(id)
           content_type :json
           JSON.generate(transcript)
@@ -481,7 +580,7 @@ module MailCatcher
       end
       get "/messages/:id.transcript" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         if transcript = Mail.message_transcript(id)
           content_type :html, charset: "utf-8"
           erb :transcript, locals: { transcript: transcript }
@@ -491,7 +590,7 @@ module MailCatcher
       end
       get "/messages/:id/parts/:cid" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         if part = Mail.message_part_cid(id, params[:cid])
           content_type part["type"], :charset => (part["charset"] || "utf8")
           attachment part["filename"] if part["is_attachment"] == 1
@@ -502,7 +601,7 @@ module MailCatcher
       end
       get "/messages/:id/extract" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         if message = Mail.message(id)
           content_type :json
           JSON.generate(Mail.extract_tokens(id, type: params[:type]))
@@ -512,7 +611,7 @@ module MailCatcher
       end
       get "/messages/:id/links.json" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         if message = Mail.message(id)
           content_type :json
           JSON.generate(Mail.extract_all_links(id))
@@ -522,7 +621,7 @@ module MailCatcher
       end
       get "/messages/:id/parsed.json" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         if message = Mail.message(id)
           content_type :json
           JSON.generate(Mail.parse_message_structured(id))
@@ -532,7 +631,7 @@ module MailCatcher
       end
       get "/messages/:id/accessibility.json" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         if message = Mail.message(id)
           content_type :json
           begin
@@ -547,7 +646,7 @@ module MailCatcher
       end
       post "/messages/:id/forward" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         if message = Mail.message(id)
           content_type :json
           result = Mail.forward_message(id)
@@ -564,7 +663,7 @@ module MailCatcher
       end
       delete "/messages/:id" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         if Mail.message(id)
           Mail.delete_message!(id)
           status 204
@@ -573,6 +672,18 @@ module MailCatcher
         end
       end
+      get "/resources/proxy" do
+        content_type, body = fetch_remote_resource(params[:url].to_s)
+        content_type content_type if content_type
+        body
+      rescue URI::InvalidURIError, Sinatra::BadRequest => e
+        halt 400, e.message
+      rescue Net::OpenTimeout, Net::ReadTimeout
+        halt 504, "Remote resource timed out"
+      rescue RemoteResourceTooLarge
+        halt 413, "Remote resource too large"
+      end
       # Claude Plugin Routes
       # These routes provide Claude Plugin marketplace compatible endpoints
@@ -672,7 +783,7 @@ module MailCatcher
       end
       get "/plugin/message/:id/tokens" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         content_type :json
         unless Mail.message(id)
@@ -710,7 +821,7 @@ module MailCatcher
       end
       get "/plugin/message/:id/auth-info" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         content_type :json
         unless Mail.message(id)
@@ -733,7 +844,7 @@ module MailCatcher
       end
       get "/plugin/message/:id/preview" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         content_type :html
         html_part = Mail.message_part_html(id)
@@ -766,7 +877,7 @@ module MailCatcher
       end
       delete "/plugin/message/:id" do
-        id = params[:id].to_i
+        id = valid_message_id!(params[:id])
         if Mail.message(id)
           Mail.delete_message!(id)
           status 204

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mailcatcher-ng
 version: !ruby/object:Gem::Version
-  version: 1.5.6
+  version: 1.5.7
 platform: ruby
 authors:
 - Stephane Paquet