npm - nodemailer - Versions diffs - 6.9.8 → 6.9.10 - Mend

nodemailer 6.9.8 → 6.9.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.ncurc.js +1 -3
package/CHANGELOG.md +16 -0
package/lib/mail-composer/index.js +9 -9
package/lib/mailer/index.js +16 -14
package/lib/shared/index.js +53 -3
package/package.json +6 -9

package/.ncurc.js CHANGED Viewed

@@ -2,8 +2,6 @@ module.exports = {
     upgrade: true,
     reject: [
         // API changes break existing tests
-        'proxy',
-        // ESM
-        'chai'
+        'proxy'
     ]
 };

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,21 @@
 # CHANGELOG
+## [6.9.10](https://github.com/nodemailer/nodemailer/compare/v6.9.9...v6.9.10) (2024-02-22)
+### Bug Fixes
+* **data-uri:** Do not use regular expressions for parsing data URI schemes ([12e65e9](https://github.com/nodemailer/nodemailer/commit/12e65e975d80efe6bafe6de4590829b3b5ebb492))
+* **data-uri:** Moved all data-uri regexes to use the non-regex parseDataUri method ([edd5dfe](https://github.com/nodemailer/nodemailer/commit/edd5dfe5ce9b725f8b8ae2830797f65b2a2b0a33))
+## [6.9.9](https://github.com/nodemailer/nodemailer/compare/v6.9.8...v6.9.9) (2024-02-01)
+### Bug Fixes
+* **security:** Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eternal matching pattern if only a few occurences are expected ([dd8f5e8](https://github.com/nodemailer/nodemailer/commit/dd8f5e8a4ddc99992e31df76bcff9c590035cd4a))
+* **tests:** Use native node test runner, added code coverage support, removed grunt ([#1604](https://github.com/nodemailer/nodemailer/issues/1604)) ([be45c1b](https://github.com/nodemailer/nodemailer/commit/be45c1b299d012358d69247019391a02734d70af))
 ## [6.9.8](https://github.com/nodemailer/nodemailer/compare/v6.9.7...v6.9.8) (2023-12-30)

package/lib/mail-composer/index.js CHANGED Viewed

@@ -4,6 +4,7 @@
 const MimeNode = require('../mime-node');
 const mimeFuncs = require('../mime-funcs');
+const parseDataURI = require('../shared').parseDataURI;
 /**
  * Creates the object for composing a MimeNode instance out from the mail options
@@ -537,12 +538,17 @@ class MailComposer {
      * @return {Object} Parsed element
      */
     _processDataUrl(element) {
-        let parts = (element.path || element.href).match(/^data:((?:[^;]*;)*(?:[^,]*)),(.*)$/i);
-        if (!parts) {
+        let parsedDataUri;
+        if ((element.path || element.href).match(/^data:/)) {
+            parsedDataUri = parseDataURI(element.path || element.href);
+        }
+        if (!parsedDataUri) {
             return element;
         }
-        element.content = /\bbase64$/i.test(parts[1]) ? Buffer.from(parts[2], 'base64') : Buffer.from(decodeURIComponent(parts[2]));
+        element.content = parsedDataUri.data;
+        element.contentType = element.contentType || parsedDataUri.contentType;
         if ('path' in element) {
             element.path = false;
@@ -552,12 +558,6 @@ class MailComposer {
             element.href = false;
         }
-        parts[1].split(';').forEach(item => {
-            if (/^\w+\/[^/]+$/i.test(item)) {
-                element.contentType = element.contentType || item.toLowerCase();
-            }
-        });
         return element;
     }
 }

package/lib/mailer/index.js CHANGED Viewed

@@ -395,21 +395,23 @@ class Mail extends EventEmitter {
                 return callback(err);
             }
             let cidCounter = 0;
-            html = (html || '').toString().replace(/(<img\b[^>]* src\s*=[\s"']*)(data:([^;]+);[^"'>\s]+)/gi, (match, prefix, dataUri, mimeType) => {
-                let cid = crypto.randomBytes(10).toString('hex') + '@localhost';
-                if (!mail.data.attachments) {
-                    mail.data.attachments = [];
-                }
-                if (!Array.isArray(mail.data.attachments)) {
-                    mail.data.attachments = [].concat(mail.data.attachments || []);
-                }
-                mail.data.attachments.push({
-                    path: dataUri,
-                    cid,
-                    filename: 'image-' + ++cidCounter + '.' + mimeTypes.detectExtension(mimeType)
+            html = (html || '')
+                .toString()
+                .replace(/(<img\b[^<>]{0,1024} src\s{0,20}=[\s"']{0,20})(data:([^;]+);[^"'>\s]+)/gi, (match, prefix, dataUri, mimeType) => {
+                    let cid = crypto.randomBytes(10).toString('hex') + '@localhost';
+                    if (!mail.data.attachments) {
+                        mail.data.attachments = [];
+                    }
+                    if (!Array.isArray(mail.data.attachments)) {
+                        mail.data.attachments = [].concat(mail.data.attachments || []);
+                    }
+                    mail.data.attachments.push({
+                        path: dataUri,
+                        cid,
+                        filename: 'image-' + ++cidCounter + '.' + mimeTypes.detectExtension(mimeType)
+                    });
+                    return prefix + 'cid:' + cid;
                 });
-                return prefix + 'cid:' + cid;
-            });
             mail.data.html = html;
             callback();
         });

package/lib/shared/index.js CHANGED Viewed

@@ -418,6 +418,55 @@ module.exports.callbackPromise = (resolve, reject) =>
         }
     };
+module.exports.parseDataURI = uri => {
+    let input = uri;
+    let commaPos = input.indexOf(',');
+    if (!commaPos) {
+        return uri;
+    }
+    let data = input.substring(commaPos + 1);
+    let metaStr = input.substring('data:'.length, commaPos);
+    let encoding;
+    let metaEntries = metaStr.split(';');
+    let lastMetaEntry = metaEntries.length > 1 ? metaEntries[metaEntries.length - 1] : false;
+    if (lastMetaEntry && lastMetaEntry.indexOf('=') < 0) {
+        encoding = lastMetaEntry.toLowerCase();
+        metaEntries.pop();
+    }
+    let contentType = metaEntries.shift() || 'application/octet-stream';
+    let params = {};
+    for (let entry of metaEntries) {
+        let sep = entry.indexOf('=');
+        if (sep >= 0) {
+            let key = entry.substring(0, sep);
+            let value = entry.substring(sep + 1);
+            params[key] = value;
+        }
+    }
+    switch (encoding) {
+        case 'base64':
+            data = Buffer.from(data, 'base64');
+            break;
+        case 'utf8':
+            data = Buffer.from(data);
+            break;
+        default:
+            try {
+                data = Buffer.from(decodeURIComponent(data));
+            } catch (err) {
+                data = Buffer.from(data);
+            }
+            data = Buffer.from(data);
+    }
+    return { data, encoding, contentType, params };
+};
 /**
  * Resolves a String or a Buffer value for content value. Useful if the value
  * is a Stream or a file or an URL. If the value is a Stream, overwrites
@@ -470,11 +519,12 @@ module.exports.resolveContent = (data, key, callback) => {
             contentStream = nmfetch(content.path || content.href);
             return resolveStream(contentStream, callback);
         } else if (/^data:/i.test(content.path || content.href)) {
-            let parts = (content.path || content.href).match(/^data:((?:[^;]*;)*(?:[^,]*)),(.*)$/i);
-            if (!parts) {
+            let parsedDataUri = module.exports.parseDataURI(content.path || content.href);
+            if (!parsedDataUri || !parsedDataUri.data) {
                 return callback(null, Buffer.from(0));
             }
-            return callback(null, /\bbase64$/i.test(parts[1]) ? Buffer.from(parts[2], 'base64') : Buffer.from(decodeURIComponent(parts[2])));
+            return callback(null, parsedDataUri.data);
         } else if (content.path) {
             return resolveStream(fs.createReadStream(content.path), callback);
         }

package/package.json CHANGED Viewed

@@ -1,10 +1,12 @@
 {
     "name": "nodemailer",
-    "version": "6.9.8",
+    "version": "6.9.10",
     "description": "Easy as cake e-mail sending from your Node.js applications",
     "main": "lib/nodemailer.js",
     "scripts": {
-        "test": "grunt --trace-warnings",
+        "test": "node --test --test-concurrency=1 test/**/*.test.js test/**/*-test.js",
+        "test:coverage": "c8 node --test --test-concurrency=1 test/**/*.test.js test/**/*-test.js",
+        "lint": "eslint .",
         "update": "rm -rf node_modules/ package-lock.json && ncu -u && npm install"
     },
     "repository": {
@@ -23,21 +25,16 @@
     "devDependencies": {
         "@aws-sdk/client-ses": "3.484.0",
         "bunyan": "1.8.15",
-        "chai": "4.3.10",
+        "c8": "8.0.1",
+        "eslint": "8.56.0",
         "eslint-config-nodemailer": "1.2.0",
         "eslint-config-prettier": "9.1.0",
-        "grunt": "1.6.1",
-        "grunt-cli": "1.4.3",
-        "grunt-eslint": "24.3.0",
-        "grunt-mocha-test": "0.13.3",
         "libbase64": "1.2.1",
         "libmime": "5.2.1",
         "libqp": "2.0.1",
-        "mocha": "10.2.0",
         "nodemailer-ntlm-auth": "1.0.4",
         "proxy": "1.0.2",
         "proxy-test-server": "1.0.0",
-        "sinon": "17.0.1",
         "smtp-server": "3.13.0"
     },
     "engines": {