npm - mailauth - Versions diffs - 4.9.0 → 4.9.1 - Mend

mailauth 4.9.0 → 4.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,12 @@
 # Changelog
+## [4.9.1](https://github.com/postalsys/mailauth/compare/v4.9.0...v4.9.1) (2025-08-27)
+### Bug Fixes
+* ZMS-262: Add raw record sanitanization and validation util functions ([#93](https://github.com/postalsys/mailauth/issues/93)) ([e4842cf](https://github.com/postalsys/mailauth/commit/e4842cf222bd6db29f34c25434b5c38c44edefdc))
 ## [4.9.0](https://github.com/postalsys/mailauth/compare/v4.8.6...v4.9.0) (2025-08-21)

package/lib/bimi/index.js CHANGED Viewed

@@ -3,7 +3,7 @@
 const { Buffer } = require('node:buffer');
 const crypto = require('node:crypto');
 const dns = require('node:dns');
-const { formatAuthHeaderRow, parseDkimHeaders, formatDomain, getAlignment } = require('../tools');
+const { formatAuthHeaderRow, parseDkimHeaders, formatDomain, getAlignment, validateTagValueRecord } = require('../tools');
 const Joi = require('joi');
 //const packageData = require('../../package.json');
 const httpsSchema = Joi.string().uri({
@@ -184,7 +184,8 @@ const lookup = async data => {
         response.authority = recordData.parsed.a.value;
         // Apple Mail requires additional policy header values in Authentication-Results header
-        response.status.policy = { authority: 'none', 'authority-uri': recordData.parsed.a.value }; // VMC has not been actually checked here yet, so authority is none
+        const authorityUriValidationObj = validateTagValueRecord(recordData.parsed.a.value, 'bimi');
+        response.status.policy = { authority: 'none', 'authority-uri': authorityUriValidationObj.sanitizedRecord }; // VMC has not been actually checked here yet, so authority is none
     }
     response.info = formatAuthHeaderRow('bimi', response.status);

package/lib/tools.js CHANGED Viewed

@@ -570,6 +570,153 @@ function getCurTime(timeValue) {
     return new Date();
 }
+function parseTagValueRecord(record, options = {}) {
+    const {
+        requiredTags = [],
+        allowedTags = null, // null means allow all, array means restrict to these
+        caseSensitive = false,
+        strictMode = false, // if true, stops parsing on first malformed part
+        allowDuplicateKeys = true // if false, treats duplicate keys as errors
+    } = options;
+    let sanitized = (record || '')
+        .replace(/\\r\\n/g, '') // Remove literal \r\n
+        .replace(/\\n/g, '') // Remove literal \n
+        .replace(/\r?\n/g, '') // Remove actual newlines
+        .trim();
+    // Split on semicolons
+    const parts = sanitized.split(';');
+    const tags = {};
+    const validPairs = [];
+    const errors = [];
+    const warnings = [];
+    for (let part of parts) {
+        part = part.trim();
+        if (!part) continue; // Skip empty parts
+        // Look for tag=value pattern
+        const equalIndex = part.indexOf('=');
+        if (equalIndex === -1) {
+            const error = `Malformed part (no equals sign): "${part}"`;
+            errors.push(error);
+            if (strictMode) break;
+            continue;
+        }
+        let key = part.substring(0, equalIndex).trim();
+        let value = part.substring(equalIndex + 1).trim();
+        const normalizedKey = caseSensitive ? key : key.toLowerCase();
+        // Validate key format (should be alphanumeric, may include hyphens/underscores)
+        if (!/^[a-zA-Z0-9_-]+$/.test(key)) {
+            const error = `Invalid tag name: "${key}"`;
+            errors.push(error);
+            if (strictMode) break;
+            continue;
+        }
+        if (allowedTags && !allowedTags.includes(normalizedKey)) {
+            warnings.push(`Unknown/disallowed tag ignored: "${key}"`);
+            continue;
+        }
+        if (normalizedKey in tags) {
+            if (!allowDuplicateKeys) {
+                const error = `Duplicate tag not allowed: "${key}"`;
+                errors.push(error);
+                if (strictMode) break;
+                continue;
+            }
+            if (Array.isArray(tags[normalizedKey])) {
+                tags[normalizedKey].push(value);
+            } else {
+                tags[normalizedKey] = [tags[normalizedKey], value];
+            }
+            warnings.push(`Duplicate tag "${key}" found`);
+        } else {
+            tags[normalizedKey] = value;
+        }
+        validPairs.push([normalizedKey, value]);
+    }
+    for (const requiredTag of requiredTags) {
+        const normalizedRequired = caseSensitive ? requiredTag : requiredTag.toLowerCase();
+        if (!(normalizedRequired in tags)) {
+            errors.push(`Missing required tag: "${requiredTag}"`);
+        }
+    }
+    const sanitizedRecord = validPairs.map(([key, value]) => `${key}=${value}`).join('; ');
+    return {
+        tags,
+        errors,
+        warnings,
+        isValid: errors.length === 0,
+        sanitizedRecord,
+        originalRecord: record
+    };
+}
+function validateTagValueRecord(record, recordType) {
+    const configs = {
+        BIMI: {
+            requiredTags: ['v', 'l', 'a'],
+            allowedTags: ['v', 'l', 'a'],
+            caseSensitive: false,
+            strictMode: true,
+            allowDuplicateKeys: false,
+            validators: {
+                v: value => (/^BIMI\d+$/i.test(value) ? null : `Version must match BIMI<digit>, got: ${value}`),
+                l: value => {
+                    if (!value.trim()) return 'Location cannot be empty';
+                    try {
+                        const url = new URL(value.trim());
+                        return url.protocol !== 'https:' ? 'Location must use HTTPS protocol' : null;
+                    } catch (e) {
+                        return `Invalid location URL: ${value}`;
+                    }
+                },
+                a: value => {
+                    if (!value.trim()) return 'Authority cannot be empty';
+                    try {
+                        const url = new URL(value.trim());
+                        return url.protocol !== 'https:' ? 'Authority must use HTTPS protocol' : null;
+                    } catch (e) {
+                        return `Invalid authority URL: ${value}`;
+                    }
+                }
+            }
+        }
+    };
+    const config = configs[recordType.toUpperCase()];
+    if (!config) {
+        throw new Error(`Unknown record type: ${recordType}`);
+    }
+    const parsed = parseTagValueRecord(record, config);
+    if (config.validators && parsed.isValid) {
+        for (const [tag, validator] of Object.entries(config.validators)) {
+            if (parsed.tags && tag in parsed.tags) {
+                const validationError = validator(parsed.tags[tag]);
+                if (validationError) {
+                    parsed.errors.push(validationError);
+                }
+            }
+        }
+        parsed.isValid = parsed.errors.length === 0;
+    }
+    return parsed;
+}
 module.exports = {
     writeToStream,
     parseHeaders,
@@ -598,5 +745,8 @@ module.exports = {
     getCurTime,
-    TLDTS_OPTS
+    TLDTS_OPTS,
+    validateTagValueRecord,
+    parseTagValueRecord
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "mailauth",
-    "version": "4.9.0",
+    "version": "4.9.1",
     "description": "Email authentication library for Node.js",
     "main": "lib/mailauth.js",
     "scripts": {