npm - @bobfrankston/rmfmail - Versions diffs - 1.1.233 → 1.1.235 - Mend

@bobfrankston/rmfmail 1.1.233 → 1.1.235

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/client/app.bundle.js +9 -1
package/client/app.bundle.js.map +2 -2
package/client/components/message-viewer.js +9 -1
package/client/components/message-viewer.js.map +1 -1
package/client/components/message-viewer.ts +9 -1
package/package.json +1 -1
package/packages/mailx-store/store.d.ts.map +1 -1
package/packages/mailx-store/store.js +31 -10
package/packages/mailx-store/store.js.map +1 -1
package/packages/mailx-store/store.ts +32 -11

package/packages/mailx-store/store.ts CHANGED Viewed

@@ -255,17 +255,22 @@ export class Store {
         const allowList = this.getCachedAllowlist() as any;
         const senderAddr = (envelope.from?.address || "").toLowerCase();
         const senderDomain = senderAddr.split("@")[1] || "";
-        const toAddrs = (envelope.to || []).map((a: any) => (a.address || "").toLowerCase());
+        // Recipient allowlist matches against every recipient-ish address, not
+        // just To: a mailing list often carries other subscribers in To/Cc and
+        // delivers to the user's allowlisted alias only via Delivered-To (added
+        // post-parse below).
+        const recipients = (allowList.recipients || []).map((r: string) => (r || "").toLowerCase());
+        const rcptAddrs = [...(envelope.to || []), ...(envelope.cc || [])]
+            .map((a: any) => (a.address || "").toLowerCase());
         // Allowlist auto-allow: trusted sender / domain / recipient skips
         // sanitization. Same rule as the legacy service implementation.
         if (!allowRemote) {
             const senders = (allowList.senders || []).map((s: string) => (s || "").toLowerCase());
             const domains = (allowList.domains || []).map((d: string) => (d || "").toLowerCase());
-            const recipients = (allowList.recipients || []).map((r: string) => (r || "").toLowerCase());
             if (senders.includes(senderAddr) ||
                 domains.includes(senderDomain) ||
-                toAddrs.some((a: string) => recipients.includes(a))) {
+                rcptAddrs.some((a: string) => recipients.includes(a))) {
                 allowRemote = true;
             }
         }
@@ -307,8 +312,12 @@ export class Store {
         const cached = this.parsedLruGet(cacheKey);
         if (cached) {
             // Allowlist state can change between views even with the same
-            // body cached; recompute the volatile fields and overlay.
-            return { ...cached, remoteAllowed: allowRemote, isFlagged };
+            // body cached; recompute the volatile fields and overlay. OR with
+            // the cached flag: if the body was already parsed-and-allowed (e.g.
+            // via a Delivered-To recipient match, which the early envelope-only
+            // check can't see), keep it allowed — the cached HTML is unsanitized
+            // and the flag must agree.
+            return { ...cached, remoteAllowed: allowRemote || cached.remoteAllowed, isFlagged };
         }
         // Synchronous parse. The .eml is on disk; read + parse it inline
@@ -408,12 +417,6 @@ export class Store {
                 contentId: x.a.contentId || "",
             }));
-        if (bodyHtml && !allowRemote) {
-            const result = sanitizeHtml(bodyHtml);
-            bodyHtml = result.html;
-            hasRemoteContent = result.hasRemoteContent;
-        }
         // Header extraction — Delivered-To, Return-Path, List-Unsubscribe.
         // Each delivery agent PREPENDS its Delivered-To, so the FIRST
         // (topmost) header is the final delivery to the user's actual
@@ -421,6 +424,8 @@ export class Store {
         // routing artifacts. Take [0]. (The old code took the LAST entry —
         // on a forwarded message that grabbed a stale hop, e.g. a malformed
         // `…@elkin.ws@trap-prot` address — Bob 2026-05-21.)
+        // This runs BEFORE sanitization because Delivered-To feeds the
+        // recipient-allowlist re-check just below.
         let deliveredTo = "";
         const rawDelivered = parsed.headers.get("delivered-to");
         if (rawDelivered) {
@@ -447,6 +452,22 @@ export class Store {
             parseListUnsubscribe(parsed.headers);
         const listUnsubscribe = listUnsubscribeHttp || listUnsubscribeMail;
+        // Recipient-allowlist re-check with Delivered-To in hand. The early
+        // pass (envelope only) can't see Delivered-To, so a list message whose
+        // To/Cc are other subscribers and whose only allowlisted address is the
+        // Delivered-To alias (e.g. shsaa@bob.ma) would still be sanitized.
+        // Match the bare address out of "Name <addr>" / "<addr>" / "addr".
+        if (!allowRemote && deliveredTo) {
+            const dAddr = (deliveredTo.match(/[^\s<>]+@[^\s<>]+/)?.[0] || "").toLowerCase();
+            if (dAddr && recipients.includes(dAddr)) allowRemote = true;
+        }
+        if (bodyHtml && !allowRemote) {
+            const result = sanitizeHtml(bodyHtml);
+            bodyHtml = result.html;
+            hasRemoteContent = result.hasRemoteContent;
+        }
         const result: StoreMessage = {
             ...envelope,
             bodyHtml, bodyText,