mailauth 4.8.2 → 4.8.4

package/.ncurc.js

@@ -1,15 +1,12 @@
 module.exports = {
     upgrade: true,
     reject: [
-        'marked',
-        'marked-man',
         // only works as ESM
         'chai',
-
-        // Fails in Node 16
-        'undici',
+        'fast-xml-parser',
 
         // fix later
-        'eslint'
+        'eslint',
+        'eslint-config-prettier'
     ]
 };

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [4.8.4](https://github.com/postalsys/mailauth/compare/v4.8.3...v4.8.4) (2025-04-21)
+
+
+### Bug Fixes
+
+* **bimi:** Bumped VMC module to add support for GLobalSign VMC root ([d0e9ecf](https://github.com/postalsys/mailauth/commit/d0e9ecf89b699aae8ad9953445f052b558250f5a))
+
+## [4.8.3](https://github.com/postalsys/mailauth/compare/v4.8.2...v4.8.3) (2025-04-20)
+
+
+### Bug Fixes
+
+* protect against prototype pollution ([3b7515d](https://github.com/postalsys/mailauth/commit/3b7515df768ce1d2e4e02858fdfca8efca6243fb))
+
 ## [4.8.2](https://github.com/postalsys/mailauth/compare/v4.8.1...v4.8.2) (2024-12-19)
 
 

package/lib/bimi/index.js

@@ -13,7 +13,9 @@ const httpsSchema = Joi.string().uri({
 const FETCH_TIMEOUT = 5 * 1000;
 
 const { fetch: fetchCmd, Agent } = require('undici');
-const fetchAgent = new Agent({ connect: { timeout: FETCH_TIMEOUT } });
+const fetchAgent = new Agent({
+    connect: { timeout: FETCH_TIMEOUT }
+});
 
 const { vmc } = require('@postalsys/vmc');
 const { validateSvg } = require('./validate-svg');

package/lib/parse-dkim-headers.js

@@ -279,13 +279,15 @@ const headerParser = buf => {
                 entry.comment = part.comment;
             }
 
-            if (['arc-authentication-results', 'authentication-results'].includes(headerKey) && part.key === 'dkim') {
-                if (!result[part.key]) {
-                    result[part.key] = [];
+            if (part.key && !['__proto__', 'constructor'].includes(part.key)) {
+                if (['arc-authentication-results', 'authentication-results'].includes(headerKey) && part.key === 'dkim') {
+                    if (!result[part.key]) {
+                        result[part.key] = [];
+                    }
+                    result[part.key].push(entry);
+                } else {
+                    result[part.key] = entry;
                 }
-                result[part.key].push(entry);
-            } else {
-                result[part.key] = entry;
             }
         });
 

package/package.json

@@ -1,14 +1,13 @@
 {
     "name": "mailauth",
-    "version": "4.8.2",
+    "version": "4.8.4",
     "description": "Email authentication library for Node.js",
     "main": "lib/mailauth.js",
     "scripts": {
         "test": "eslint \"lib/**/*.js\" \"test/**/*.js\" && mocha --recursive \"./test/**/*.js\" --reporter spec",
-        "prepublish": "npm run man || true",
-        "man": "cd man && marked-man --version `node -e \"console.log('v'+require('../package.json').version)\"` --manual 'Mailauth Help' --section 1 man.md > mailauth.1",
-        "build-source": "rm -rf node_modules package-lock.json && npm install && npm run man && npm run licenses && rm -rf node_modules package-lock.json && npm install --production && rm -rf package-lock.json",
-        "build-dist": "npx pkg --compress Brotli package.json && rm -rf package-lock.json && npm install",
+        "build-source": "rm -rf node_modules package-lock.json && npm install && npm run licenses && rm -rf node_modules package-lock.json && npm install --production && rm -rf package-lock.json",
+        "build-dist": "npx pkg --compress Brotli package.json && rm -rf package-lock.json && npm install && node winconf.js",
+        "build-dist-fast": "pkg --debug package.json && npm install && node winconf.js",
         "licenses": "license-report --only=prod --output=table --config license-report-config.json > licenses.txt",
         "update": "rm -rf node_modules package-lock.json && npx ncu -u && npm install"
     },
@@ -38,36 +37,31 @@
         "eslint-config-nodemailer": "1.2.0",
         "eslint-config-prettier": "9.1.0",
         "js-yaml": "4.1.0",
-        "license-report": "6.7.1",
-        "marked": "0.7.0",
-        "marked-man": "0.7.0",
+        "license-report": "6.7.2",
         "mbox-reader": "1.2.0",
-        "mocha": "11.0.1"
+        "mocha": "11.1.0",
+        "resedit": "^2.0.3"
     },
     "dependencies": {
-        "@postalsys/vmc": "1.1.0",
-        "fast-xml-parser": "4.5.1",
+        "@postalsys/vmc": "1.1.1",
+        "fast-xml-parser": "4.5.2",
         "ipaddr.js": "2.2.0",
         "joi": "17.13.3",
         "libmime": "5.3.6",
-        "nodemailer": "6.9.16",
+        "nodemailer": "6.10.1",
         "punycode.js": "2.3.1",
-        "tldts": "6.1.68",
-        "undici": "5.28.4",
+        "tldts": "7.0.1",
+        "undici": "7.8.0",
         "yargs": "17.7.2"
     },
     "engines": {
-        "node": ">=16.0.0"
+        "node": ">=18.0.0"
     },
     "bin": {
         "mailauth": "bin/mailauth.js"
     },
-    "man": [
-        "man/mailauth.1"
-    ],
     "pkg": {
         "assets": [
-            "man/**/*",
             "licenses.txt",
             "LICENSE.txt"
         ],

package/winconf.js

@@ -0,0 +1,70 @@
+'use strict';
+
+const { load } = require('resedit/cjs');
+const PackageData = require('./package.json');
+
+const { readFileSync, writeFileSync } = require('fs');
+
+const options = {
+    in: './ee-dist/mailauth-win-x64.exe',
+    out: './ee-dist/mailauth-win-x64.exe',
+    version: PackageData.version,
+    properties: {
+        LegalCopyright: 'Postal Systems OÜ',
+        FileDescription: 'mailauth provides a command-line utility for email authentication',
+        ProductName: 'mailauth'
+    },
+    icon: 'assets/mailauth.ico'
+};
+
+const language = {
+    lang: 1033,
+    codepage: 1200
+};
+
+load().then(ResEdit => {
+    // Modify .exe w/ ResEdit
+    const data = readFileSync(options.in);
+    const executable = ResEdit.NtExecutable.from(data);
+    const res = ResEdit.NtExecutableResource.from(executable);
+    const vi = ResEdit.Resource.VersionInfo.fromEntries(res.entries)[0];
+
+    // Remove original filename
+    vi.removeStringValue(language, 'OriginalFilename');
+    vi.removeStringValue(language, 'InternalName');
+
+    // Product version
+    if (options.version) {
+        // Convert version to tuple of 3 numbers
+        const version = options.version
+            .split('.')
+            .map(v => Number(v) || 0)
+            .slice(0, 3);
+
+        // Update versions
+        vi.setProductVersion(...version, 0, language.lang);
+        vi.setFileVersion(...version, 0, language.lang);
+    }
+
+    // Add additional user specified properties
+    if (options.properties) {
+        vi.setStringValues(language, options.properties);
+    }
+
+    vi.outputToResourceEntries(res.entries);
+
+    // Add icon
+    if (options.icon) {
+        const iconFile = ResEdit.Data.IconFile.from(readFileSync(options.icon));
+        ResEdit.Resource.IconGroupEntry.replaceIconsForResource(
+            res.entries,
+            1,
+            language.lang,
+            iconFile.icons.map(item => item.data)
+        );
+    }
+
+    // Regenerate and write to .exe
+    res.outputResource(executable);
+    writeFileSync(options.out, Buffer.from(executable.generate()));
+});

package/man/mailauth.1

@@ -1,145 +0,0 @@
-.TH "MAILAUTH" "1" "December 2024" "v4.8.2" "Mailauth Help"
-.SH "NAME"
-\fBmailauth\fR
-.QP
-.P
-mailauth \- authenticate, sign and seal emails
-
-.
-.SH SYNOPSIS
-.P
-\fBmailauth\fP \fIcommand\fR [ \fIcommand_opts\fR ] [ \fIemail\fR ]
-.P
-\fBmailauth help\fP
-.P
-\fBmailauth\fP \fIcommand\fR \fBhelp\fP
-.SH DESCRIPTION
-.P
-Mailauth is an email authentication application to validate SPF, DKIM, DMARC, and ARC\. You can also sign emails with DKIM digital signatures and seal messages with ARC\.
-.SH COMMANDS
-.P
-\fBreport\fR
-.br
-Validate an email message and return a report in JSON format
-.P
-\fBsign\fR
-.br
-Sign an email with a DKIM digital signature
-.P
-\fBseal\fR
-.br
-Authenticates an email and seals it with an ARC digital signature
-.P
-\fBspf\fR
-.br
-Authenticates SPF for an IP address and email address
-.P
-\fBlicense\fR
-.br
-Display licenses for mailauth and included modules
-.SH Website
-.P
-\fIhttps://github\.com/postalsys/mailauth\fR
-.SH EXAMPLES
-.P
-\fBnpm install mailauth \-g\fP
-.P
-\fBmailauth report /path/to/email\.eml\fP
-.P
-\fBcat /path/to/email\.eml | mailauth report\fP
-.P
-\fBmailauth sign /path/to/email\.eml \-d kreata\.ee \-s test \-k /path/to/key\fP
-.P
-\fBmailauth spf \-f andris@wildduck\.email \-i 217\.146\.76\.20\fP
-.SH EMAIL ARGUMENT
-.P
-Email argument defines the path to the email message file in EML format\. If not specified, then
-content is read from standard input\.
-.SH OPTIONS
-.RS 0
-.IP \(bu 2
-\fB\-\-verbose\fP, \fB\-v\fP
-Enable silly verbose mode
-.IP \(bu 2
-\fB\-\-version\fP
-Print application version
-.IP \(bu 2
-\fB\-\-client\-ip\fP, \fB\-i <ip>\fP
-Client IP used for SPF checks\. If not set, then parsed from the latest Received header\. (\fBreport\fP, \fBseal\fP, \fBspf\fP)
-.IP \(bu 2
-\fB\-\-mta\fP, \fB\-m <hostname>\fP
-The hostname of this machine, used in the \fBAuthentication\-Results\fP header\. (\fBreport\fP, \fBseal\fP, \fBspf\fP)
-.IP \(bu 2
-\fB\-\-helo\fP, \fB\-e <hostname>\fP
-Client hostname from the EHLO/HELO command, used in some specific SPF checks\. (\fBreport\fP, \fBseal\fP, \fBspf\fP)
-.IP \(bu 2
-\fB\-\-sender\fP, \fB\-f <address>\fP
-The email address from the \fBMAIL FROM\fP command\. If not set, the address from the latest \fIReturn\-Path\fR header is used instead\. (\fBreport\fP, \fBseal\fP, \fBspf\fP)
-.IP \(bu 2
-\fB\-\-dns\-cache\fP, \fB\-n <file>\fP
-Path to a JSON file with cached DNS responses\. If this file is given, then no actual DNS requests are performed\. Anything that is not listed returns an \fBENOTFOUND\fP error\. (\fBreport\fP, \fBseal\fP, \fBspf\fP)
-.IP \(bu 2
-\fB\-\-private\-key\fP, \fB\-k <file>\fP
-Path to a private key for signing\. Allowed key types are RSA and Ed25519 (\fBsign\fP, \fBseal\fP)
-.IP \(bu 2
-\fB\-\-domain\fP, \fB\-d <domain>\fP
-Domain name for signing\. (\fBsign\fP, \fBseal\fP)
-.IP \(bu 2
-\fB\-\-selector\fP, \fB\-s <selector>\fP
-Key selector for signing\. (\fBsign\fP, \fBseal\fP)
-.IP \(bu 2
-\fB\-\-algo\fP, \fB\-a <algo>\fP
-Signing algorithm\. Defaults either to \fIrsa\-sha256\fR or \fIed25519\-sha256\fR depending on the private key format\. (\fBsign\fP, \fBseal\fP)
-.IP \(bu 2
-\fB\-\-canonicalization\fP, \fB\-c <algo>\fP
-Canonicalization algorithm\. Defaults to \fIrelaxed/relaxed\fR\|\. (\fBsign\fP)
-.IP \(bu 2
-\fB\-\-body\-length\fP, \fB\-l <number>\fP
-The maximum length of the canonicalized body to sign\. (\fBsign\fP)
-.IP \(bu 2
-\fB\-\-time\fP, \fB\-t <number>\fP
-Signing time as a Unix timestamp\. (\fBsign\fP, \fBseal\fP)
-.IP \(bu 2
-\fB\-\-header\-fields\fP, \fB\-h <list>\fP
-Colon separated list of header field names to sign\. (\fBsign\fP, \fBseal\fP)
-.IP \(bu 2
-\fB\-\-headers\-only\fP, \fB\-o\fP
-Return signing headers only\. By default, the entire message is printed to the console\. (\fBsign\fP, \fBseal\fP, \fBspf\fP)
-.IP \(bu 2
-\fB\-\-max\-lookups\fP, \fB\-x\fP
-How many DNS lookups allowed for SPF validation\. Defaults to 10\. (\fBreport\fP, \fBspf\fP)
-.IP \(bu 2
-\fB\-\-max\-void\-lookups\fP, \fB\-z\fP
-How many empty DNS lookups allowed for SPF validation\. Defaults to 2\. (\fBreport\fP, \fBspf\fP)
-
-.RE
-.SH DNS CACHE
-.P
-For cached DNS requests, use the following JSON object structure: primary keys are domain names, and subkeys are resource record types\.
-.P
-.RS 2
-.nf
-{
-    "selector\._domainkey\.example\.com": {
-        "TXT": [
-            [
-                "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ\.\.\.",
-                "\.\.\.sOLccRAmVAOmacHmayjDROTw/XilzErJj+uVAicGYfs10Nz+EUuwIDAQAB"
-            ]
-        ]
-    }
-}
-.fi
-.RE
-.P
-You can split longer TXT strings into multiple strings\. There is no length limit, unlike in actual DNS so you can put the entire public key into a single string\.
-.SH BUGS
-.P
-Please report any bugs to https://github\.com/postalsys/mailauth/issues\.
-.SH LICENSE
-.P
-Copyright (c) 2020\-2024, Postal Systems (MIT)\.
-.SH SEE ALSO
-.P
-node\.js(1)
-

package/man/man.md

@@ -1,140 +0,0 @@
-# mailauth(1)
-
-> mailauth - authenticate, sign and seal emails
-
-## SYNOPSIS
-
-`mailauth` _command_ [ _command_opts_ ] [ _email_ ]
-
-`mailauth help`
-
-`mailauth` _command_ `help`
-
-## DESCRIPTION
-
-Mailauth is an email authentication application to validate SPF, DKIM, DMARC, and ARC. You can also sign emails with DKIM digital signatures and seal messages with ARC.
-
-## COMMANDS
-
-**report**\
-Validate an email message and return a report in JSON format
-
-**sign**\
-Sign an email with a DKIM digital signature
-
-**seal**\
-Authenticates an email and seals it with an ARC digital signature
-
-**spf**\
-Authenticates SPF for an IP address and email address
-
-**license**\
-Display licenses for mailauth and included modules
-
-## Website
-
-[](https://github.com/postalsys/mailauth)
-
-## EXAMPLES
-
-`npm install mailauth -g`
-
-`mailauth report /path/to/email.eml`
-
-`cat /path/to/email.eml | mailauth report`
-
-`mailauth sign /path/to/email.eml -d kreata.ee -s test -k /path/to/key`
-
-`mailauth spf -f andris@wildduck.email -i 217.146.76.20`
-
-## EMAIL ARGUMENT
-
-Email argument defines the path to the email message file in EML format. If not specified, then
-content is read from standard input.
-
-## OPTIONS
-
--   `--verbose`, `-v`
-    Enable silly verbose mode
-
--   `--version`
-    Print application version
-
--   `--client-ip`, `-i <ip>`
-    Client IP used for SPF checks. If not set, then parsed from the latest Received header. (`report`, `seal`, `spf`)
-
--   `--mta`, `-m <hostname>`
-    The hostname of this machine, used in the `Authentication-Results` header. (`report`, `seal`, `spf`)
-
--   `--helo`, `-e <hostname>`
-    Client hostname from the EHLO/HELO command, used in some specific SPF checks. (`report`, `seal`, `spf`)
-
--   `--sender`, `-f <address>`
-    The email address from the `MAIL FROM` command. If not set, the address from the latest _Return-Path_ header is used instead. (`report`, `seal`, `spf`)
-
--   `--dns-cache`, `-n <file>`
-    Path to a JSON file with cached DNS responses. If this file is given, then no actual DNS requests are performed. Anything that is not listed returns an `ENOTFOUND` error. (`report`, `seal`, `spf`)
-
--   `--private-key`, `-k <file>`
-    Path to a private key for signing. Allowed key types are RSA and Ed25519 (`sign`, `seal`)
-
--   `--domain`, `-d <domain>`
-    Domain name for signing. (`sign`, `seal`)
-
--   `--selector`, `-s <selector>`
-    Key selector for signing. (`sign`, `seal`)
-
--   `--algo`, `-a <algo>`
-    Signing algorithm. Defaults either to _rsa-sha256_ or _ed25519-sha256_ depending on the private key format. (`sign`, `seal`)
-
--   `--canonicalization`, `-c <algo>`
-    Canonicalization algorithm. Defaults to _relaxed/relaxed_. (`sign`)
-
--   `--body-length`, `-l <number>`
-    The maximum length of the canonicalized body to sign. (`sign`)
-
--   `--time`, `-t <number>`
-    Signing time as a Unix timestamp. (`sign`, `seal`)
-
--   `--header-fields`, `-h <list>`
-    Colon separated list of header field names to sign. (`sign`, `seal`)
-
--   `--headers-only`, `-o`
-    Return signing headers only. By default, the entire message is printed to the console. (`sign`, `seal`, `spf`)
-
--   `--max-lookups`, `-x`
-    How many DNS lookups allowed for SPF validation. Defaults to 10. (`report`, `spf`)
-
--   `--max-void-lookups`, `-z`
-    How many empty DNS lookups allowed for SPF validation. Defaults to 2. (`report`, `spf`)
-
-## DNS CACHE
-
-For cached DNS requests, use the following JSON object structure: primary keys are domain names, and subkeys are resource record types.
-
-```
-{
-    "selector._domainkey.example.com": {
-        "TXT": [
-            [
-                "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ...",
-                "...sOLccRAmVAOmacHmayjDROTw/XilzErJj+uVAicGYfs10Nz+EUuwIDAQAB"
-            ]
-        ]
-    }
-}
-```
-
-You can split longer TXT strings into multiple strings. There is no length limit, unlike in actual DNS so you can put the entire public key into a single string.
-
-## BUGS
-
-Please report any bugs to https://github.com/postalsys/mailauth/issues.
-
-## LICENSE
-
-Copyright (c) 2020-2024, Postal Systems (MIT).
-
-## SEE ALSO
-
-node.js(1)