emailengine-app 2.68.1 → 2.70.0

package/lib/imapproxy/imap-core/lib/imap-command.js

@@ -369,9 +369,14 @@ class IMAPCommand {
     countBadResponses() {
         this.connection._badCount++;
         if (this.connection._badCount > MAX_BAD_COMMANDS) {
+            // Stop reading first so a command pipelined right after the offending input is not
+            // dispatched during the graceful-close window.
+            this.connection._stopReading();
             this.connection.clearNotificationListener();
             this.connection.send('* BYE Too many protocol errors');
-            setImmediate(() => this.connection.close(true));
+            // Graceful close so the BYE is flushed to the client before teardown (close() ends
+            // the socket and force-destroys via its own failsafe timer).
+            setImmediate(() => this.connection.close());
             return false;
         }
         return true;

package/lib/imapproxy/imap-core/lib/imap-connection.js

@@ -14,6 +14,12 @@ const packageInfo = require('../../../../package');
 
 const SOCKET_TIMEOUT = 5 * 60 * 1000;
 
+// Idle timeout applied to a proxied connection after auth handoff. Generous enough
+// to not interrupt IMAP IDLE (which can sit idle for ~29 minutes) while still
+// preventing a connection from being held open forever. Overridable via the
+// proxyTimeout server option; 0 disables it (legacy behaviour).
+const PROXY_SOCKET_TIMEOUT = 30 * 60 * 1000;
+
 /**
  * Creates a handler for new socket
  *
@@ -52,11 +58,15 @@ class IMAPConnection extends EventEmitter {
         this._upgrading = false;
 
         // Parser instance for the incoming stream
-        this._parser = new IMAPStream();
+        this._parser = new IMAPStream({ maxLineLength: this._server.options.maxLineLength });
 
         // Set handler for incoming commands
         this._parser.oncommand = this._onCommand.bind(this);
 
+        // Close the connection if the parser rejects the input (e.g. an over-long
+        // command line) instead of letting the error reach the global handler.
+        this._parser.on('error', err => this._onParserError(err));
+
         // Manage multi part command
         this._currentCommand = false;
 
@@ -194,8 +204,12 @@ class IMAPConnection extends EventEmitter {
     }
 
     unbind() {
+        // Cancel any armed graceful-close failsafe so it cannot destroy the socket after we
+        // have handed it off to the proxy backend.
+        clearTimeout(this._closingTimeout);
+
         this.writeStream.unpipe(this._socket);
-        this._socket.unpipe(this._parser);
+        this._stopReading();
 
         if (this._onCloseHandler) {
             this._socket.removeListener('close', this._onCloseHandler);
@@ -206,8 +220,29 @@ class IMAPConnection extends EventEmitter {
         if (this._onErrorHandler) {
             this._socket.removeListener('error', this._onErrorHandler);
         }
+        // Drop the auth-phase protocol timeout handler - after handoff it must not
+        // run, it would write IMAP responses into the proxied byte stream.
+        this._socket.setTimeout(0);
         if (this._onTimeoutHandler) {
-            this._socket.setTimeout(0, this._onTimeoutHandler);
+            this._socket.removeListener('timeout', this._onTimeoutHandler);
+        }
+
+        // Re-arm a generous idle timeout so the proxied connection cannot be held
+        // open indefinitely (fd/connection exhaustion). Use a plain socket destroy
+        // rather than the protocol-level handler. proxyTimeout: 0 disables it.
+        let proxyTimeout = this._server.options.proxyTimeout;
+        if (proxyTimeout === undefined || proxyTimeout === null) {
+            proxyTimeout = PROXY_SOCKET_TIMEOUT;
+        }
+        if (proxyTimeout) {
+            this._socket.setTimeout(proxyTimeout);
+            this._socket.once('timeout', () => {
+                try {
+                    this._socket.destroy();
+                } catch (err) {
+                    // ignore
+                }
+            });
         }
 
         // After handoff to proxy mode the connection's own close/end handlers are gone,
@@ -281,42 +316,53 @@ class IMAPConnection extends EventEmitter {
     /**
      * Close socket
      */
-    close(force) {
+    close() {
         if (this._closed || this._closing) {
             return;
         }
 
         if (!this._socket.destroyed && this._socket.writable) {
-            this._socket[!force ? 'end' : 'destroy']();
+            this._socket.end();
         }
 
         this._server.connections.delete(this);
 
-        if (!force) {
-            // allow socket to close in 1500ms or force it to close
-            this._closingTimeout = setTimeout(() => {
-                if (this._closed) {
-                    return;
-                }
+        // allow socket to close gracefully in 1500ms or force it to close
+        this._closingTimeout = setTimeout(() => {
+            if (this._closed) {
+                return;
+            }
 
-                try {
-                    this._socket.destroy();
-                } catch (err) {
-                    // ignore
-                }
+            try {
+                this._socket.destroy();
+            } catch (err) {
+                // ignore
+            }
 
-                setImmediate(() => this._onClose());
-            }, 1500);
-        }
+            setImmediate(() => this._onClose());
+        }, 1500);
 
         this._closing = true;
-        if (force) {
-            setImmediate(() => this._onClose());
-        }
     }
 
     // PRIVATE METHODS
 
+    /**
+     * Stop feeding the socket into the command parser. Called before teardown so a client
+     * cannot pipeline another command (e.g. LOGIN) after we have decided to close - which
+     * would otherwise be dispatched during the graceful-close window. Safe to call more than
+     * once; a no-op once the parser has been torn down in _onClose().
+     */
+    _stopReading() {
+        try {
+            if (this._parser) {
+                this._socket.unpipe(this._parser);
+            }
+        } catch (err) {
+            // ignore
+        }
+    }
+
     /**
      * Setup socket event handlers
      */
@@ -334,6 +380,34 @@ class IMAPConnection extends EventEmitter {
         this._socket.pipe(this._parser);
     }
 
+    /**
+     * Fired when the incoming-stream parser rejects the input (e.g. an over-long
+     * command line). Stops feeding the parser, tells the client, and closes.
+     * @param {Error} err - Parser error
+     */
+    _onParserError(err) {
+        this._stopReading();
+
+        this.logger.info(
+            {
+                tnx: 'parser',
+                cid: this.id
+            },
+            'Closing connection: %s',
+            err && err.message
+        );
+
+        try {
+            this.send('* BYE ' + ((err && err.message) || 'Protocol error'));
+        } catch (E) {
+            // ignore
+        }
+
+        // Graceful close so the BYE is flushed before teardown; close() force-destroys via
+        // its own failsafe timer if the socket does not close on its own.
+        setImmediate(() => this.close());
+    }
+
     /**
      * Fired when the socket is closed
      * @event
@@ -489,8 +563,12 @@ class IMAPConnection extends EventEmitter {
             return;
         }
 
+        // Stop reading first so a command pipelined right after the timeout is not dispatched
+        // during the graceful-close window. Graceful close still flushes the BYE before teardown
+        // (close() has a failsafe timer).
+        this._stopReading();
         this.send('* BYE Idle timeout, closing connection');
-        setImmediate(() => this.close(true));
+        setImmediate(() => this.close());
     }
 
     /**
@@ -504,6 +582,11 @@ class IMAPConnection extends EventEmitter {
 
         callback = callback || (() => false);
 
+        if (this._closing || this._closed) {
+            // connection is tearing down - do not dispatch further commands
+            return callback();
+        }
+
         if (this._upgrading) {
             // ignore any commands before TLS upgrade is finished
             return callback();
@@ -777,7 +860,6 @@ class IMAPConnection extends EventEmitter {
         if (existsResponse && !changed) {
             // send cached EXISTS response
             this.writeStream.write(existsResponse);
-            existsResponse = false;
         }
 
         if (changed) {

package/lib/imapproxy/imap-core/lib/imap-server.js

@@ -12,6 +12,10 @@ const base32 = require('base32.js');
 
 const CLOSE_TIMEOUT = 1 * 1000; // how much to wait until pending connections are terminated
 
+// A PROXY protocol v1 header is at most ~107 bytes. Bound the buffer so a trusted
+// proxy source that never sends a newline cannot grow memory without limit.
+const MAX_PROXY_HEADER_SIZE = 256;
+
 /**
  * Creates a IMAP server instance.
  *
@@ -273,6 +277,26 @@ class IMAPServer extends EventEmitter {
                 }
                 chunks.push(chunk);
                 chunklen += chunk.length;
+
+                if (chunklen > MAX_PROXY_HEADER_SIZE) {
+                    socket.removeListener('readable', socketReader);
+                    try {
+                        socket.end('* BAD Invalid PROXY header\r\n');
+                    } catch (E) {
+                        // ignore
+                    }
+                    // end() only half-closes the socket; arm a short timeout so the fd is
+                    // released even if the peer never closes its side (fd exhaustion).
+                    socket.setTimeout(CLOSE_TIMEOUT);
+                    socket.once('timeout', () => {
+                        try {
+                            socket.destroy();
+                        } catch (E) {
+                            // ignore
+                        }
+                    });
+                    return;
+                }
             }
         };
         socket.on('readable', socketReader);

package/lib/imapproxy/imap-core/lib/imap-stream.js

@@ -4,6 +4,11 @@ const stream = require('stream');
 const Writable = stream.Writable;
 const PassThrough = stream.PassThrough;
 
+// Upper bound for a single command line (no CRLF yet). Generous - real IMAP command
+// lines are short and bulk data is sent as size-bounded literals - but it prevents a
+// client that never sends a newline from growing memory without limit (OOM).
+const MAX_LINE_LENGTH = 1 * 1024 * 1024;
+
 /**
  * Incoming IMAP stream parser. Detects and emits command payloads.
  * If literal values are encountered the command payload is split into parts
@@ -21,6 +26,9 @@ class IMAPStream extends Writable {
         this.options = options || {};
         Writable.call(this, this.options);
 
+        // largest single command line we will buffer before giving up
+        this._maxLineLength = Number(this.options.maxLineLength) || MAX_LINE_LENGTH;
+
         // unprocessed chars from the last parsing iteration
         this._remainder = '';
         this._literal = false;
@@ -40,6 +48,18 @@ class IMAPStream extends Writable {
         throw new Error('Command handler is not set');
     }
 
+    /**
+     * Discards any buffered or partial parser state. Used on TLS upgrade so that
+     * plaintext pipelined before STARTTLS cannot be parsed as commands inside the
+     * encrypted session (STARTTLS command injection).
+     */
+    reset() {
+        this._remainder = '';
+        this._literal = false;
+        this._literalReady = false;
+        this._expecting = 0;
+    }
+
     // PRIVATE METHODS
 
     /**
@@ -107,6 +127,12 @@ class IMAPStream extends Writable {
             pos += line.length + match[0].length;
         } else {
             this._remainder = pos < data.length ? data.substr(pos) : '';
+            if (this._remainder.length > this._maxLineLength) {
+                // Drop the buffered data and fail the stream - the connection layer
+                // closes the socket on a parser error.
+                this._remainder = '';
+                return done(new Error('Command line too long'));
+            }
             return done();
         }
 

package/lib/logger.js

@@ -19,22 +19,13 @@ let logger = pino({
         log(object) {
             if (object.err && ['TypeError', 'RangeError'].includes(object.err.name)) {
                 if (logger.notifyError) {
-                    logger.notifyError(object.err, event => {
-                        if (object.account) {
-                            event.setUser(object.account);
+                    let meta = {};
+                    for (let key of ['msg', 'path', 'cid']) {
+                        if (object[key]) {
+                            meta[key] = object[key];
                         }
-                        let meta = {};
-                        let hasMeta = false;
-                        for (let key of ['msg', 'path', 'cid']) {
-                            if (object[key]) {
-                                meta[key] = object[key];
-                                hasMeta = true;
-                            }
-                        }
-                        if (hasMeta) {
-                            event.addMetadata('ee', meta);
-                        }
-                    });
+                    }
+                    logger.notifyError(object.err, { user: object.account, meta });
                 }
             }
             return object;
@@ -49,6 +40,22 @@ if (threadId) {
     logger = logger.child({ tid: threadId });
 }
 
+// An error that reaches the global handlers leaves the process in an unknown state,
+// so the process must always exit. If error tracking is enabled, report the error
+// first and allow a short flush window for the delivery.
+function fatalShutdown(code, err) {
+    if (logger.notifyError) {
+        logger.notifyError(err);
+    }
+
+    let exit = () => process.exit(code);
+    if (logger.flushNotifications) {
+        logger.flushNotifications().then(exit, exit);
+    } else {
+        setTimeout(exit, 10);
+    }
+}
+
 process.on('uncaughtException', err => {
     logger.fatal({
         msg: 'uncaughtException',
@@ -56,9 +63,7 @@ process.on('uncaughtException', err => {
         err
     });
 
-    if (!logger.notifyError) {
-        setTimeout(() => process.exit(1), 10);
-    }
+    fatalShutdown(1, err);
 });
 
 process.on('unhandledRejection', err => {
@@ -68,9 +73,7 @@ process.on('unhandledRejection', err => {
         err
     });
 
-    if (!logger.notifyError) {
-        setTimeout(() => process.exit(2), 10);
-    }
+    fatalShutdown(2, err);
 });
 
 module.exports = logger;

package/lib/message-port-stream.js

@@ -1,6 +1,6 @@
 'use strict';
 
-const { Writable, Readable } = require('stream');
+const { Writable, Readable, pipeline } = require('stream');
 
 // const { MessageChannel } = require('worker_threads');
 // const { port1, port2 } = new MessageChannel();
@@ -9,6 +9,41 @@ class MessagePortWritable extends Writable {
     constructor(messagePort) {
         super();
         this.messagePort = messagePort;
+        this.portClosed = false;
+
+        // The reader side posts { cancel: true } when it is torn down (e.g. the
+        // HTTP client aborted the download). Stop the transfer so the upstream
+        // source - and the IMAP lock it holds - is released.
+        this.onPortMessage = message => {
+            if (message && message.cancel) {
+                this.destroy();
+            }
+        };
+        this.messagePort.on('message', this.onPortMessage);
+    }
+
+    postToPort(message) {
+        if (this.portClosed) {
+            return;
+        }
+        try {
+            this.messagePort.postMessage(message);
+        } catch (err) {
+            // ignore - the channel may already be torn down
+        }
+    }
+
+    closePort() {
+        if (this.portClosed) {
+            return;
+        }
+        this.portClosed = true;
+        this.messagePort.removeListener('message', this.onPortMessage);
+        try {
+            this.messagePort.close();
+        } catch (err) {
+            // ignore
+        }
     }
 
     _write(chunk, encoding, done) {
@@ -20,24 +55,25 @@ class MessagePortWritable extends Writable {
             chunk = Buffer.from(chunk, encoding);
         }
 
-        this.messagePort.postMessage({
-            value: chunk,
-            done: false
-        });
+        this.postToPort({ value: chunk, done: false });
         done();
     }
 
     _final(done) {
-        this.messagePort.postMessage({
-            done: true
-        });
-        try {
-            this.messagePort.close();
-        } catch (err) {
-            //ignore
-        }
+        this.postToPort({ done: true });
+        this.closePort();
         done();
     }
+
+    _destroy(err, done) {
+        // Abnormal termination: tell the reader so a truncated transfer is not
+        // mistaken for a complete message, then release the port.
+        if (err) {
+            this.postToPort({ error: err.message || 'Stream error' });
+        }
+        this.closePort();
+        done(err);
+    }
 }
 
 class MessagePortReadable extends Readable {
@@ -46,17 +82,28 @@ class MessagePortReadable extends Readable {
         this.messagePort = messagePort;
 
         this.canRead = false;
+        this.portClosed = false;
 
         this.readableQueue = [];
-        this.messagePort.on('message', message => {
-            if (message && (message.done || message.value)) {
+        this.onPortMessage = message => {
+            if (!message) {
+                return;
+            }
+            if (message.error) {
+                // The producer failed mid-transfer - surface it as a stream error
+                // rather than letting the consumer believe it received everything.
+                this.destroy(new Error(message.error));
+                return;
+            }
+            if (message.done || message.value) {
                 this.readableQueue.push(message);
 
                 if (this.canRead && this.readableQueue.length === 1) {
                     this._processReading();
                 }
             }
-        });
+        };
+        this.messagePort.on('message', this.onPortMessage);
     }
 
     _processReading() {
@@ -73,7 +120,57 @@ class MessagePortReadable extends Readable {
         this.canRead = true;
         this._processReading();
     }
+
+    _destroy(err, done) {
+        // Consumer is gone (client aborted, error, or clean end): tell the producer
+        // to stop and release the port + listener so nothing leaks across threads.
+        if (!this.portClosed) {
+            this.portClosed = true;
+            try {
+                this.messagePort.postMessage({ cancel: true });
+            } catch (cancelErr) {
+                // ignore - the peer may already be closed
+            }
+            this.messagePort.removeListener('message', this.onPortMessage);
+            try {
+                this.messagePort.close();
+            } catch (closeErr) {
+                // ignore
+            }
+        }
+        done(err);
+    }
+}
+
+/**
+ * Pipes a readable source into a MessagePortWritable so that an error on either
+ * side tears the transfer down instead of surfacing as an unhandled 'error'
+ * event. A mid-download failure on an IMAP source stream would otherwise crash
+ * the worker (and every account assigned to it).
+ *
+ * @param {Readable} source - Source stream (e.g. an IMAP download stream)
+ * @param {MessagePortWritable} writable - Destination bound to a MessagePort
+ * @param {Object} [logger] - Optional logger used to report transfer failures
+ */
+function pipeToMessagePort(source, writable, logger) {
+    pipeline(source, writable, err => {
+        if (!err || !logger) {
+            return;
+        }
+        // A consumer that aborts mid-download closes the destination early; that
+        // is expected (not a failure) so it should not be logged at error level.
+        if (err.code === 'ERR_STREAM_PREMATURE_CLOSE') {
+            if (typeof logger.debug === 'function') {
+                logger.debug({ msg: 'Message stream transfer aborted by consumer', err });
+            }
+            return;
+        }
+        if (typeof logger.error === 'function') {
+            logger.error({ msg: 'Message stream transfer failed', err });
+        }
+    });
 }
 
 module.exports.MessagePortWritable = MessagePortWritable;
 module.exports.MessagePortReadable = MessagePortReadable;
+module.exports.pipeToMessagePort = pipeToMessagePort;

package/lib/metrics-collector.js

@@ -91,8 +91,6 @@ class MetricsCollector {
      * Collect metrics in background (sequential to avoid CPU spikes)
      */
     async collectInBackground() {
-        const startTime = Date.now();
-
         // Start with main thread info
         let threadsInfo = [
             Object.assign(

package/lib/oauth2-apps.js

@@ -339,10 +339,6 @@ class OAuth2AppsHandler {
             apps: []
         };
 
-        if (idList.length <= startPos) {
-            return response;
-        }
-
         //let keys = idList.slice(startPos, startPos + pageSize);
         let keys = idList;
 
@@ -406,6 +402,8 @@ class OAuth2AppsHandler {
             });
         }
 
+        // Recount after undecodable entries were skipped and query filters were applied
+        response.total = response.apps.length;
         response.pages = Math.ceil(response.apps.length / pageSize);
         response.apps = response.apps.slice(startPos, startPos + pageSize);
 
@@ -747,6 +745,17 @@ class OAuth2AppsHandler {
 
     async update(id, data, opts) {
         opts = opts || {};
+
+        // `tenant` is a UI-style alias for an Outlook directory tenant ID. Only honor it when
+        // the caller explicitly selected it via authority='tenant' (the UI form convention) -
+        // a stray tenant value alone must not overwrite the stored authority.
+        if (data && typeof data === 'object' && 'tenant' in data) {
+            if (data.tenant && data.authority === 'tenant') {
+                data.authority = data.tenant;
+            }
+            delete data.tenant;
+        }
+
         if (LEGACY_KEYS.includes(id)) {
             // legacy
             return await this.updateLegacyApp(id, data);