@mikkelscheike/email-provider-links 1.0.0 → 1.2.0

package/dist/security/secure-loader.js

@@ -0,0 +1,141 @@
+"use strict";
+/**
+ * Secure Loader for Email Providers
+ *
+ * Integrates URL validation and hash verification to create a secure
+ * loading system for email provider data.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secureLoadProviders = secureLoadProviders;
+exports.initializeSecurity = initializeSecurity;
+exports.createSecurityMiddleware = createSecurityMiddleware;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const url_validator_1 = require("./url-validator");
+const hash_verifier_1 = require("./hash-verifier");
+/**
+ * Securely loads and validates email provider data
+ *
+ * @param providersPath - Path to the providers JSON file
+ * @param expectedHash - Optional expected hash for verification
+ * @returns Secure load result with validation details
+ */
+function secureLoadProviders(providersPath, expectedHash) {
+    const filePath = providersPath || (0, path_1.join)(__dirname, '..', '..', 'providers', 'emailproviders.json');
+    const issues = [];
+    let providers = [];
+    // Step 1: Hash verification
+    const hashResult = (0, hash_verifier_1.verifyProvidersIntegrity)(filePath, expectedHash);
+    if (!hashResult.isValid) {
+        issues.push(`Hash verification failed: ${hashResult.reason}`);
+        // In production, you might want to abort here
+        console.error('🚨 SECURITY WARNING: Hash verification failed!');
+        console.error('File:', hashResult.file);
+        console.error('Reason:', hashResult.reason);
+        console.error('Expected:', hashResult.expectedHash);
+        console.error('Actual:', hashResult.actualHash);
+    }
+    // Step 2: Load and parse JSON
+    try {
+        const fileContent = (0, fs_1.readFileSync)(filePath, 'utf8');
+        const data = JSON.parse(fileContent);
+        providers = data.providers || [];
+    }
+    catch (error) {
+        issues.push(`Failed to load providers file: ${error instanceof Error ? error.message : 'Unknown error'}`);
+        return {
+            success: false,
+            providers: [],
+            securityReport: {
+                hashVerification: false,
+                urlValidation: false,
+                totalProviders: 0,
+                validUrls: 0,
+                invalidUrls: 0,
+                securityLevel: 'CRITICAL',
+                issues
+            }
+        };
+    }
+    // Step 3: URL validation audit
+    const urlAudit = (0, url_validator_1.auditProviderSecurity)(providers);
+    if (urlAudit.invalid > 0) {
+        issues.push(`${urlAudit.invalid} providers have invalid URLs`);
+        console.warn('⚠️  URL validation issues found:');
+        for (const invalid of urlAudit.invalidProviders) {
+            console.warn(`- ${invalid.provider}: ${invalid.validation.reason}`);
+        }
+    }
+    // Step 4: Filter out invalid providers in production
+    const secureProviders = providers.filter(provider => {
+        if (!provider.loginUrl)
+            return true; // Allow providers without login URLs
+        const validation = (0, url_validator_1.validateEmailProviderUrl)(provider.loginUrl);
+        return validation.isValid;
+    });
+    if (secureProviders.length < providers.length) {
+        const filtered = providers.length - secureProviders.length;
+        issues.push(`Filtered out ${filtered} providers with invalid URLs`);
+    }
+    // Step 5: Determine security level
+    let securityLevel = 'SECURE';
+    if (!hashResult.isValid) {
+        securityLevel = 'CRITICAL';
+    }
+    else if (urlAudit.invalid > 0 || issues.length > 0) {
+        securityLevel = 'WARNING';
+    }
+    return {
+        success: securityLevel !== 'CRITICAL',
+        providers: secureProviders,
+        securityReport: {
+            hashVerification: hashResult.isValid,
+            urlValidation: urlAudit.invalid === 0,
+            totalProviders: providers.length,
+            validUrls: urlAudit.valid,
+            invalidUrls: urlAudit.invalid,
+            securityLevel,
+            issues
+        }
+    };
+}
+/**
+ * Development utility to generate and display current hashes
+ */
+function initializeSecurity() {
+    console.log('🔐 Generating security hashes for email providers...');
+    const hashes = (0, hash_verifier_1.generateSecurityHashes)();
+    console.log('\n📋 Security Setup Instructions:');
+    console.log('1. Store these hashes securely (environment variables, CI/CD secrets)');
+    console.log('2. Update KNOWN_GOOD_HASHES in hash-verifier.ts');
+    console.log('3. Enable hash verification in production');
+    console.log('\n⚠️  Remember to update hashes when making legitimate changes to provider data!');
+    return hashes;
+}
+/**
+ * Express middleware for secure provider loading (if using in web apps)
+ */
+function createSecurityMiddleware(options = {}) {
+    return (req, res, next) => {
+        const result = secureLoadProviders(undefined, options.expectedHash);
+        if (result.securityReport.securityLevel === 'CRITICAL' && !options.allowInvalidUrls) {
+            if (options.onSecurityIssue) {
+                options.onSecurityIssue(result.securityReport);
+            }
+            return res.status(500).json({
+                error: 'Security validation failed',
+                details: result.securityReport
+            });
+        }
+        // Attach secure providers to request
+        req.secureProviders = result.providers;
+        req.securityReport = result.securityReport;
+        next();
+    };
+}
+exports.default = {
+    secureLoadProviders,
+    initializeSecurity,
+    createSecurityMiddleware
+};
+//# sourceMappingURL=secure-loader.js.map

package/dist/security/secure-loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-loader.js","sourceRoot":"","sources":["../../src/security/secure-loader.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AA6BH,kDAuFC;AAKD,gDAWC;AAKD,4DAwBC;AA/JD,2BAAkC;AAClC,+BAA4B;AAC5B,mDAAkF;AAClF,mDAAuG;AAiBvG;;;;;;GAMG;AACH,SAAgB,mBAAmB,CACjC,aAAsB,EACtB,YAAqB;IAErB,MAAM,QAAQ,GAAG,aAAa,IAAI,IAAA,WAAI,EAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,qBAAqB,CAAC,CAAC;IAClG,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,SAAS,GAAoB,EAAE,CAAC;IAEpC,4BAA4B;IAC5B,MAAM,UAAU,GAAG,IAAA,wCAAwB,EAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IACpE,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CAAC,6BAA6B,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;QAE9D,8CAA8C;QAC9C,OAAO,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAChE,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC;QACxC,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;QAC5C,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC;QACpD,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE,UAAU,CAAC,UAAU,CAAC,CAAC;IAClD,CAAC;IAED,8BAA8B;IAC9B,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,IAAA,iBAAY,EAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACrC,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,EAAE,CAAC;IACnC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,IAAI,CAAC,kCAAkC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC;QAC1G,OAAO;YACL,OAAO,EAAE,KAAK;YACd,SAAS,EAAE,EAAE;YACb,cAAc,EAAE;gBACd,gBAAgB,EAAE,KAAK;gBACvB,aAAa,EAAE,KAAK;gBACpB,cAAc,EAAE,CAAC;gBACjB,SAAS,EAAE,CAAC;gBACZ,WAAW,EAAE,CAAC;gBACd,aAAa,EAAE,UAAU;gBACzB,MAAM;aACP;SACF,CAAC;IACJ,CAAC;IAED,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,IAAA,qCAAqB,EAAC,SAAS,CAAC,CAAC;IAClD,IAAI,QAAQ,CAAC,OAAO,GAAG,CAAC,EAAE,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,OAAO,8BAA8B,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QACjD,KAAK,MAAM,OAAO,IAAI,QAAQ,CAAC,gBAAgB,EAAE,CAAC;YAChD,OAAO,CAAC,IAAI,CAAC,KAAK,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IAED,qDAAqD;IACrD,MAAM,eAAe,GAAG,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE;QAClD,IAAI,CAAC,QAAQ,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC,CAAC,qCAAqC;QAC1E,MAAM,UAAU,GAAG,IAAA,wCAAwB,EAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC/D,OAAO,UAAU,CAAC,OAAO,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAI,eAAe,CAAC,MAAM,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC;QAC9C,MAAM,QAAQ,GAAG,SAAS,CAAC,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC;QAC3D,MAAM,CAAC,IAAI,CAAC,gBAAgB,QAAQ,8BAA8B,CAAC,CAAC;IACtE,CAAC;IAED,mCAAmC;IACnC,IAAI,aAAa,GAAsC,QAAQ,CAAC;IAEhE,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,aAAa,GAAG,UAAU,CAAC;IAC7B,CAAC;SAAM,IAAI,QAAQ,CAAC,OAAO,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrD,aAAa,GAAG,SAAS,CAAC;IAC5B,CAAC;IAED,OAAO;QACL,OAAO,EAAE,aAAa,KAAK,UAAU;QACrC,SAAS,EAAE,eAAe;QAC1B,cAAc,EAAE;YACd,gBAAgB,EAAE,UAAU,CAAC,OAAO;YACpC,aAAa,EAAE,QAAQ,CAAC,OAAO,KAAK,CAAC;YACrC,cAAc,EAAE,SAAS,CAAC,MAAM;YAChC,SAAS,EAAE,QAAQ,CAAC,KAAK;YACzB,WAAW,EAAE,QAAQ,CAAC,OAAO;YAC7B,aAAa;YACb,MAAM;SACP;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB;IAChC,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;IACpE,MAAM,MAAM,GAAG,IAAA,sCAAsB,GAAE,CAAC;IAExC,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IACjD,OAAO,CAAC,GAAG,CAAC,uEAAuE,CAAC,CAAC;IACrF,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;IAC/D,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC;IACzD,OAAO,CAAC,GAAG,CAAC,kFAAkF,CAAC,CAAC;IAEhG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAgB,wBAAwB,CAAC,UAIrC,EAAE;IACJ,OAAO,CAAC,GAAQ,EAAE,GAAQ,EAAE,IAAS,EAAE,EAAE;QACvC,MAAM,MAAM,GAAG,mBAAmB,CAAC,SAAS,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;QAEpE,IAAI,MAAM,CAAC,cAAc,CAAC,aAAa,KAAK,UAAU,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC;YACpF,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;gBAC5B,OAAO,CAAC,eAAe,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;YACjD,CAAC;YACD,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,KAAK,EAAE,4BAA4B;gBACnC,OAAO,EAAE,MAAM,CAAC,cAAc;aAC/B,CAAC,CAAC;QACL,CAAC;QAED,qCAAqC;QACpC,GAAW,CAAC,eAAe,GAAG,MAAM,CAAC,SAAS,CAAC;QAC/C,GAAW,CAAC,cAAc,GAAG,MAAM,CAAC,cAAc,CAAC;QAEpD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED,kBAAe;IACb,mBAAmB;IACnB,kBAAkB;IAClB,wBAAwB;CACzB,CAAC"}

package/dist/security/security-demo.d.ts

@@ -0,0 +1,10 @@
+#!/usr/bin/env tsx
+/**
+ * Security Demonstration Script
+ *
+ * This script demonstrates how the URL validation and hash verification
+ * systems work to protect against supply chain attacks.
+ */
+declare function demo(): void;
+export { demo };
+//# sourceMappingURL=security-demo.d.ts.map

package/dist/security/security-demo.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-demo.d.ts","sourceRoot":"","sources":["../../src/security/security-demo.ts"],"names":[],"mappings":";AAEA;;;;;GAKG;AAQH,iBAAS,IAAI,SA2JZ;AAOD,OAAO,EAAE,IAAI,EAAE,CAAC"}

package/dist/security/security-demo.js

@@ -0,0 +1,154 @@
+#!/usr/bin/env tsx
+"use strict";
+/**
+ * Security Demonstration Script
+ *
+ * This script demonstrates how the URL validation and hash verification
+ * systems work to protect against supply chain attacks.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.demo = demo;
+const url_validator_1 = require("./url-validator");
+const hash_verifier_1 = require("./hash-verifier");
+const secure_loader_1 = require("./secure-loader");
+const fs_1 = require("fs");
+const path_1 = require("path");
+function demo() {
+    console.log('🔐 EMAIL PROVIDER LINKS - SECURITY DEMONSTRATION\n');
+    // 1. URL Validation Demo
+    console.log('📋 1. URL VALIDATION DEMO');
+    console.log('='.repeat(50));
+    const testUrls = [
+        'https://mail.google.com/mail/', // ✅ Valid
+        'https://outlook.office365.com', // ✅ Valid  
+        'https://evil-phishing-site.com/gmail', // ❌ Invalid (not allowlisted)
+        'http://gmail.com', // ❌ Invalid (not HTTPS)
+        'https://192.168.1.1/webmail', // ❌ Invalid (IP address)
+        'https://bit.ly/fake-gmail', // ❌ Invalid (URL shortener)
+        'https://gmail.tk' // ❌ Invalid (suspicious TLD)
+    ];
+    testUrls.forEach(url => {
+        const result = (0, url_validator_1.validateEmailProviderUrl)(url);
+        const status = result.isValid ? '✅' : '❌';
+        console.log(`${status} ${url}`);
+        if (!result.isValid) {
+            console.log(`   Reason: ${result.reason}`);
+        }
+    });
+    // 2. Hash Verification Demo
+    console.log('\n📋 2. HASH VERIFICATION DEMO');
+    console.log('='.repeat(50));
+    try {
+        const providersPath = (0, path_1.join)(__dirname, '..', '..', 'providers', 'emailproviders.json');
+        const currentHash = (0, hash_verifier_1.calculateFileHash)(providersPath);
+        console.log(`Current providers file hash: ${currentHash}`);
+        // Simulate tampering detection
+        const fakeHash = 'fake_hash_indicating_tampering';
+        const verificationResult = (0, hash_verifier_1.verifyProvidersIntegrity)(providersPath, fakeHash);
+        console.log(`\\nTampering simulation:`);
+        console.log(`Expected: ${fakeHash}`);
+        console.log(`Actual: ${verificationResult.actualHash}`);
+        console.log(`Valid: ${verificationResult.isValid ? '✅' : '❌'}`);
+        if (!verificationResult.isValid) {
+            console.log(`Reason: ${verificationResult.reason}`);
+        }
+    }
+    catch (error) {
+        console.error('Failed to demonstrate hash verification:', error);
+    }
+    // 3. Provider Security Audit
+    console.log('\\n📋 3. PROVIDER SECURITY AUDIT');
+    console.log('='.repeat(50));
+    try {
+        const providersPath = (0, path_1.join)(__dirname, '..', '..', 'providers', 'emailproviders.json');
+        const providersData = JSON.parse((0, fs_1.readFileSync)(providersPath, 'utf8'));
+        const audit = (0, url_validator_1.auditProviderSecurity)(providersData.providers);
+        console.log(`Total providers: ${audit.total}`);
+        console.log(`Valid URLs: ${audit.valid}`);
+        console.log(`Invalid URLs: ${audit.invalid}`);
+        console.log(`Status: ${audit.report}`);
+        if (audit.invalid > 0) {
+            console.log('\\nInvalid providers:');
+            audit.invalidProviders.forEach(invalid => {
+                console.log(`- ${invalid.provider}: ${invalid.validation.reason}`);
+            });
+        }
+    }
+    catch (error) {
+        console.error('Failed to audit providers:', error);
+    }
+    // 4. Secure Loading Demo
+    console.log('\\n📋 4. SECURE LOADING DEMO');
+    console.log('='.repeat(50));
+    const secureResult = (0, secure_loader_1.secureLoadProviders)();
+    console.log(`Load success: ${secureResult.success ? '✅' : '❌'}`);
+    console.log(`Security level: ${secureResult.securityReport.securityLevel}`);
+    console.log(`Hash verification: ${secureResult.securityReport.hashVerification ? '✅' : '❌'}`);
+    console.log(`URL validation: ${secureResult.securityReport.urlValidation ? '✅' : '❌'}`);
+    console.log(`Total providers loaded: ${secureResult.providers.length}`);
+    if (secureResult.securityReport.issues.length > 0) {
+        console.log('\\nSecurity issues:');
+        secureResult.securityReport.issues.forEach(issue => {
+            console.log(`- ${issue}`);
+        });
+    }
+    // 5. Attack Simulation
+    console.log('\\n📋 5. ATTACK SIMULATION');
+    console.log('='.repeat(50));
+    console.log('Simulating common attack scenarios:\\n');
+    // Simulate malicious URL injection
+    const maliciousProvider = {
+        companyProvider: 'Fake Gmail',
+        loginUrl: 'https://gmaiI.com/login', // Note the capital i instead of l
+        domains: ['gmail.com']
+    };
+    const maliciousValidation = (0, url_validator_1.validateEmailProviderUrl)(maliciousProvider.loginUrl);
+    console.log(`🎭 Typosquatting attack: ${maliciousProvider.loginUrl}`);
+    console.log(`   Blocked: ${!maliciousValidation.isValid ? '✅' : '❌'}`);
+    if (!maliciousValidation.isValid) {
+        console.log(`   Reason: ${maliciousValidation.reason}`);
+    }
+    // Simulate URL shortener attack
+    const shortenerAttack = {
+        companyProvider: 'Shortened Gmail',
+        loginUrl: 'https://bit.ly/definitely-not-gmail',
+        domains: ['gmail.com']
+    };
+    const shortenerValidation = (0, url_validator_1.validateEmailProviderUrl)(shortenerAttack.loginUrl);
+    console.log(`\\n🔗 URL shortener attack: ${shortenerAttack.loginUrl}`);
+    console.log(`   Blocked: ${!shortenerValidation.isValid ? '✅' : '❌'}`);
+    if (!shortenerValidation.isValid) {
+        console.log(`   Reason: ${shortenerValidation.reason}`);
+    }
+    // Simulate non-HTTPS attack
+    const httpAttack = {
+        companyProvider: 'Insecure Gmail',
+        loginUrl: 'http://gmail.com',
+        domains: ['gmail.com']
+    };
+    const httpValidation = (0, url_validator_1.validateEmailProviderUrl)(httpAttack.loginUrl);
+    console.log(`\\n🔓 Non-HTTPS attack: ${httpAttack.loginUrl}`);
+    console.log(`   Blocked: ${!httpValidation.isValid ? '✅' : '❌'}`);
+    if (!httpValidation.isValid) {
+        console.log(`   Reason: ${httpValidation.reason}`);
+    }
+    console.log('\\n🎯 SECURITY SUMMARY');
+    console.log('='.repeat(50));
+    console.log('✅ URL allowlisting prevents malicious redirects');
+    console.log('✅ Hash verification detects file tampering');
+    console.log('✅ HTTPS enforcement prevents downgrade attacks');
+    console.log('✅ Suspicious pattern detection blocks common attacks');
+    console.log('✅ Comprehensive logging for security monitoring');
+    console.log('\\n🔧 NEXT STEPS FOR PRODUCTION');
+    console.log('='.repeat(50));
+    console.log('1. Store expected hashes in environment variables');
+    console.log('2. Enable strict security mode in CI/CD pipeline');
+    console.log('3. Set up monitoring alerts for security failures');
+    console.log('4. Regular security audits of provider data');
+    console.log('5. Consider adding digital signatures for extra security');
+}
+// Run the demo
+if (require.main === module) {
+    demo();
+}
+//# sourceMappingURL=security-demo.js.map

package/dist/security/security-demo.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-demo.js","sourceRoot":"","sources":["../../src/security/security-demo.ts"],"names":[],"mappings":";;AAEA;;;;;GAKG;;AA0KM,oBAAI;AAxKb,mDAAkF;AAClF,mDAAsG;AACtG,mDAA0E;AAC1E,2BAAkC;AAClC,+BAA4B;AAE5B,SAAS,IAAI;IACX,OAAO,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC;IAElE,yBAAyB;IACzB,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IACzC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAE,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAE7B,MAAM,QAAQ,GAAG;QACf,+BAA+B,EAAY,UAAU;QACrD,+BAA+B,EAAY,YAAY;QACvD,sCAAsC,EAAK,8BAA8B;QACzE,kBAAkB,EAAyB,wBAAwB;QACnE,6BAA6B,EAAa,yBAAyB;QACnE,2BAA2B,EAAgB,4BAA4B;QACvE,kBAAkB,CAAyB,6BAA6B;KACzE,CAAC;IAEF,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE;QACrB,MAAM,MAAM,GAAG,IAAA,wCAAwB,EAAC,GAAG,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;QAChC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,4BAA4B;IAC5B,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;IAC9C,OAAO,CAAC,GAAG,CAAC,GAAG,CAAE,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAE7B,IAAI,CAAC;QACH,MAAM,aAAa,GAAG,IAAA,WAAI,EAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,qBAAqB,CAAC,CAAC;QACtF,MAAM,WAAW,GAAG,IAAA,iCAAiB,EAAC,aAAa,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,gCAAgC,WAAW,EAAE,CAAC,CAAC;QAE3D,+BAA+B;QAC/B,MAAM,QAAQ,GAAG,gCAAgC,CAAC;QAClD,MAAM,kBAAkB,GAAG,IAAA,wCAAwB,EAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;QAE7E,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,aAAa,QAAQ,EAAE,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,WAAW,kBAAkB,CAAC,UAAU,EAAE,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,UAAU,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;QAChE,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,CAAC;YAChC,OAAO,CAAC,GAAG,CAAC,WAAW,kBAAkB,CAAC,MAAM,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,KAAK,CAAC,CAAC;IACnE,CAAC;IAED,6BAA6B;IAC7B,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;IAChD,OAAO,CAAC,GAAG,CAAC,GAAG,CAAE,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAE7B,IAAI,CAAC;QACH,MAAM,aAAa,GAAG,IAAA,WAAI,EAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,qBAAqB,CAAC,CAAC;QACtF,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC,CAAC;QACtE,MAAM,KAAK,GAAG,IAAA,qCAAqB,EAAC,aAAa,CAAC,SAAS,CAAC,CAAC;QAE7D,OAAO,CAAC,GAAG,CAAC,oBAAoB,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAEvC,IAAI,KAAK,CAAC,OAAO,GAAG,CAAC,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;YACrC,KAAK,CAAC,gBAAgB,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE;gBACvC,OAAO,CAAC,GAAG,CAAC,KAAK,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;YACrE,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;IACrD,CAAC;IAED,yBAAyB;IACzB,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,GAAG,CAAE,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAE7B,MAAM,YAAY,GAAG,IAAA,mCAAmB,GAAE,CAAC;IAC3C,OAAO,CAAC,GAAG,CAAC,iBAAiB,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IACjE,OAAO,CAAC,GAAG,CAAC,mBAAmB,YAAY,CAAC,cAAc,CAAC,aAAa,EAAE,CAAC,CAAC;IAC5E,OAAO,CAAC,GAAG,CAAC,sBAAsB,YAAY,CAAC,cAAc,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IAC9F,OAAO,CAAC,GAAG,CAAC,mBAAmB,YAAY,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IACxF,OAAO,CAAC,GAAG,CAAC,2BAA2B,YAAY,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IAExE,IAAI,YAAY,CAAC,cAAc,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClD,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;QACnC,YAAY,CAAC,cAAc,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;YACjD,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,EAAE,CAAC,CAAC;QAC5B,CAAC,CAAC,CAAC;IACL,CAAC;IAED,uBAAuB;IACvB,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;IAC1C,OAAO,CAAC,GAAG,CAAC,GAAG,CAAE,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAE7B,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;IAEtD,mCAAmC;IACnC,MAAM,iBAAiB,GAAG;QACxB,eAAe,EAAE,YAAY;QAC7B,QAAQ,EAAE,yBAAyB,EAAG,kCAAkC;QACxE,OAAO,EAAE,CAAC,WAAW,CAAC;KACvB,CAAC;IAEF,MAAM,mBAAmB,GAAG,IAAA,wCAAwB,EAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IACjF,OAAO,CAAC,GAAG,CAAC,4BAA4B,iBAAiB,CAAC,QAAQ,EAAE,CAAC,CAAC;IACtE,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IACvE,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,cAAc,mBAAmB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,gCAAgC;IAChC,MAAM,eAAe,GAAG;QACtB,eAAe,EAAE,iBAAiB;QAClC,QAAQ,EAAE,qCAAqC;QAC/C,OAAO,EAAE,CAAC,WAAW,CAAC;KACvB,CAAC;IAEF,MAAM,mBAAmB,GAAG,IAAA,wCAAwB,EAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC/E,OAAO,CAAC,GAAG,CAAC,+BAA+B,eAAe,CAAC,QAAQ,EAAE,CAAC,CAAC;IACvE,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IACvE,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,cAAc,mBAAmB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,4BAA4B;IAC5B,MAAM,UAAU,GAAG;QACjB,eAAe,EAAE,gBAAgB;QACjC,QAAQ,EAAE,kBAAkB;QAC5B,OAAO,EAAE,CAAC,WAAW,CAAC;KACvB,CAAC;IAEF,MAAM,cAAc,GAAG,IAAA,wCAAwB,EAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IACrE,OAAO,CAAC,GAAG,CAAC,2BAA2B,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC9D,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IAClE,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,cAAc,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC;IACrD,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;IACtC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAE,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAC7B,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;IAC/D,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;IAC1D,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;IAC9D,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;IACpE,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;IAE/D,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CAAC,GAAG,CAAE,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAC7B,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;IACjE,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;IAChE,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;IACjE,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;AAC1E,CAAC;AAED,eAAe;AACf,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;IAC5B,IAAI,EAAE,CAAC;AACT,CAAC"}

package/dist/security/url-validator.d.ts

@@ -0,0 +1,48 @@
+/**
+ * URL Security Validation Module
+ *
+ * Provides validation and allowlisting for email provider URLs to prevent
+ * malicious redirects and supply chain attacks.
+ */
+export interface URLValidationResult {
+    isValid: boolean;
+    reason?: string;
+    domain?: string;
+    normalizedUrl?: string;
+}
+/**
+ * Validates if a URL is safe for email provider redirects
+ *
+ * @param url - The URL to validate
+ * @returns Validation result with details
+ */
+export declare function validateEmailProviderUrl(url: string): URLValidationResult;
+/**
+ * Validates all URLs in an email providers array
+ *
+ * @param providers - Array of email providers to validate
+ * @returns Array of validation results
+ */
+export declare function validateAllProviderUrls(providers: any[]): Array<{
+    provider: string;
+    url: string;
+    validation: URLValidationResult;
+}>;
+/**
+ * Security audit function to check all provider URLs
+ *
+ * @param providers - Array of email providers to audit
+ * @returns Security audit report
+ */
+export declare function auditProviderSecurity(providers: any[]): {
+    total: number;
+    valid: number;
+    invalid: number;
+    invalidProviders: {
+        provider: string;
+        url: string;
+        validation: URLValidationResult;
+    }[];
+    report: string;
+};
+//# sourceMappingURL=url-validator.d.ts.map

package/dist/security/url-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-validator.d.ts","sourceRoot":"","sources":["../../src/security/url-validator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAwIH,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,GAAG,EAAE,MAAM,GAAG,mBAAmB,CA4HzE;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC;IAC/D,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,mBAAmB,CAAC;CACjC,CAAC,CAkBD;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,GAAG,EAAE;;;;;kBA7B1C,MAAM;aACX,MAAM;oBACC,mBAAmB;;;EAyChC"}

package/dist/security/url-validator.js

@@ -0,0 +1,294 @@
+"use strict";
+/**
+ * URL Security Validation Module
+ *
+ * Provides validation and allowlisting for email provider URLs to prevent
+ * malicious redirects and supply chain attacks.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateEmailProviderUrl = validateEmailProviderUrl;
+exports.validateAllProviderUrls = validateAllProviderUrls;
+exports.auditProviderSecurity = auditProviderSecurity;
+/**
+ * Allowlisted domains for email providers.
+ * Only URLs from these domains will be considered safe.
+ *
+ * NOTE: This list should be maintained carefully and updated only
+ * through security review processes.
+ */
+const ALLOWED_DOMAINS = [
+    // Google services
+    'google.com',
+    'gmail.com',
+    'googlemail.com',
+    'mail.google.com',
+    'accounts.google.com',
+    // Microsoft services
+    'microsoft.com',
+    'outlook.com',
+    'outlook.office365.com',
+    'hotmail.com',
+    'live.com',
+    'office.com',
+    // Yahoo services
+    'yahoo.com',
+    'yahoo.co.uk',
+    'yahoo.fr',
+    'yahoo.de',
+    'login.yahoo.com',
+    // Privacy-focused providers
+    'proton.me',
+    'protonmail.com',
+    'protonmail.ch',
+    'tutanota.com',
+    'tutanota.de',
+    'posteo.de',
+    'runbox.com',
+    'countermail.com',
+    'hushmail.com',
+    // Business providers
+    'zoho.com',
+    'fastmail.com',
+    'rackspace.com',
+    'apps.rackspace.com',
+    // Other legitimate providers
+    'aol.com',
+    'mail.aol.com',
+    'gmx.com',
+    'gmx.net',
+    'mail.com',
+    'yandex.com',
+    'yandex.ru',
+    'web.de',
+    'mail.ru',
+    'libero.it',
+    'orange.fr',
+    'free.fr',
+    't-online.de',
+    'comcast.net',
+    'att.net',
+    'verizon.net',
+    'bluehost.com',
+    'godaddy.com',
+    'secureserver.net',
+    // Additional providers from security audit
+    'kolabnow.com',
+    'connect.xfinity.com',
+    'login.verizon.com',
+    'www.simply.com',
+    'www.one.com',
+    'mailfence.com',
+    'neo.space',
+    'mail.126.com',
+    'mail.qq.com',
+    'mail.sina.com.cn',
+    'www.xtra.co.nz',
+    'mail.rediff.com',
+    'mail.rakuten.co.jp',
+    'mail.nifty.com',
+    'mail.iij.ad.jp',
+    'email.uol.com.br',
+    'email.bol.com.br',
+    'email.globo.com',
+    'webmail.terra.com.br',
+    'webmail.movistar.es',
+    'webmail.ono.com',
+    'webmail.telkom.co.za',
+    'webmail.vodacom.co.za',
+    'webmail.mtnonline.com',
+    'bdmail.net',
+    'mail.aamra.com.bd',
+    'mail.link3.net',
+    'mail.ionos.com',
+    'www.icloud.com',
+    'icloud.com',
+    'mail.hostinger.com',
+    'ngx257.inmotionhosting.com',
+    'privateemail.com',
+    'app.titan.email',
+    'tools.siteground.com',
+    'portal.hostgator.com'
+];
+/**
+ * Suspicious URL patterns that should always be rejected
+ */
+const SUSPICIOUS_PATTERNS = [
+    /[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/, // IP addresses
+    /localhost/i,
+    /127\.0\.0\.1/,
+    /192\.168\./,
+    /10\./,
+    /172\./,
+    /\.tk$|\.ml$|\.ga$|\.cf$/i, // Suspicious TLDs
+    /[a-z0-9]+-[a-z0-9]+-[a-z0-9]+\./i, // Random subdomain patterns
+];
+/**
+ * URL shortener domains (should be rejected for security)
+ */
+const URL_SHORTENERS = [
+    'bit.ly',
+    'tinyurl.com',
+    't.co',
+    'short.link',
+    'ow.ly',
+    'is.gd',
+    'buff.ly'
+];
+/**
+ * Validates if a URL is safe for email provider redirects
+ *
+ * @param url - The URL to validate
+ * @returns Validation result with details
+ */
+function validateEmailProviderUrl(url) {
+    try {
+        // Check for malicious patterns in raw URL before parsing
+        const rawUrl = url.toLowerCase();
+        // Decode URL to catch encoded malicious patterns
+        let decodedUrl = '';
+        try {
+            decodedUrl = decodeURIComponent(rawUrl);
+        }
+        catch {
+            // If URL can't be decoded, treat as suspicious
+            return {
+                isValid: false,
+                reason: 'URL contains potentially malicious content',
+                domain: 'unknown'
+            };
+        }
+        // Check both raw and decoded URLs for malicious patterns
+        const urlsToCheck = [rawUrl, decodedUrl];
+        for (const urlToCheck of urlsToCheck) {
+            if (urlToCheck.includes('..') ||
+                urlToCheck.includes('%2e%2e') ||
+                urlToCheck.includes('javascript:') ||
+                urlToCheck.includes('data:') ||
+                urlToCheck.includes('vbscript:') ||
+                urlToCheck.includes('file:') ||
+                urlToCheck.includes('about:') ||
+                urlToCheck.includes('<script') ||
+                urlToCheck.includes('onload=') ||
+                urlToCheck.includes('onerror=')) {
+                return {
+                    isValid: false,
+                    reason: 'URL contains potentially malicious content',
+                    domain: 'unknown'
+                };
+            }
+        }
+        // Parse and normalize the URL
+        const urlObj = new URL(url);
+        const domain = urlObj.hostname.toLowerCase();
+        const normalizedUrl = urlObj.toString();
+        // Must use HTTPS
+        if (urlObj.protocol !== 'https:') {
+            return {
+                isValid: false,
+                reason: 'URL must use HTTPS protocol',
+                domain
+            };
+        }
+        // Check for suspicious patterns
+        for (const pattern of SUSPICIOUS_PATTERNS) {
+            if (pattern.test(domain)) {
+                return {
+                    isValid: false,
+                    reason: 'URL contains suspicious patterns',
+                    domain
+                };
+            }
+        }
+        // Check for URL shorteners
+        if (URL_SHORTENERS.includes(domain)) {
+            return {
+                isValid: false,
+                reason: 'URL shorteners are not allowed',
+                domain
+            };
+        }
+        // Check against allowlist
+        const isAllowed = ALLOWED_DOMAINS.some(allowedDomain => {
+            // Exact match or subdomain match
+            return domain === allowedDomain || domain.endsWith(`.${allowedDomain}`);
+        });
+        if (!isAllowed) {
+            return {
+                isValid: false,
+                reason: `Domain '${domain}' is not in the allowlist`,
+                domain
+            };
+        }
+        // Additional security checks for malicious content
+        const fullUrl = urlObj.toString().toLowerCase();
+        const pathname = urlObj.pathname.toLowerCase();
+        const search = urlObj.search.toLowerCase();
+        // Check for path traversal
+        if (pathname.includes('..') || pathname.includes('%2e%2e')) {
+            return {
+                isValid: false,
+                reason: 'URL contains potentially malicious content',
+                domain
+            };
+        }
+        // Check for JavaScript injection
+        if (fullUrl.includes('javascript:') || search.includes('javascript') || fullUrl.includes('data:')) {
+            return {
+                isValid: false,
+                reason: 'URL contains potentially malicious content',
+                domain
+            };
+        }
+        return {
+            isValid: true,
+            domain,
+            normalizedUrl
+        };
+    }
+    catch (error) {
+        return {
+            isValid: false,
+            reason: `Invalid URL format: ${error instanceof Error ? error.message : 'Unknown error'}`
+        };
+    }
+}
+/**
+ * Validates all URLs in an email providers array
+ *
+ * @param providers - Array of email providers to validate
+ * @returns Array of validation results
+ */
+function validateAllProviderUrls(providers) {
+    const results = [];
+    for (const provider of providers) {
+        if (provider.loginUrl) {
+            results.push({
+                provider: provider.companyProvider || 'Unknown',
+                url: provider.loginUrl,
+                validation: validateEmailProviderUrl(provider.loginUrl)
+            });
+        }
+    }
+    return results;
+}
+/**
+ * Security audit function to check all provider URLs
+ *
+ * @param providers - Array of email providers to audit
+ * @returns Security audit report
+ */
+function auditProviderSecurity(providers) {
+    const validations = validateAllProviderUrls(providers);
+    const invalid = validations.filter(v => !v.validation.isValid);
+    const valid = validations.filter(v => v.validation.isValid);
+    return {
+        total: validations.length,
+        valid: valid.length,
+        invalid: invalid.length,
+        invalidProviders: invalid,
+        report: invalid.length === 0
+            ? '✅ All provider URLs passed security validation'
+            : `⚠️  ${invalid.length} provider(s) failed security validation`
+    };
+}
+//# sourceMappingURL=url-validator.js.map