Sanatize CRLF characters from emails

Author: Theodore Li

apps/sim/app/api/help/integration-request/route.ts

@@ -10,6 +10,7 @@ import { sendEmail } from '@/lib/messaging/email/mailer'
 import { getFromEmailAddress } from '@/lib/messaging/email/utils'
 
 const logger = createLogger('IntegrationRequestAPI')
+const NO_EMAIL_HEADER_CONTROL_CHARS_REGEX = /^[^\r\n]*$/
 
 const rateLimiter = new RateLimiter()
 
@@ -20,7 +21,12 @@ const PUBLIC_ENDPOINT_RATE_LIMIT: TokenBucketConfig = {
 }
 
 const integrationRequestSchema = z.object({
-  integrationName: z.string().min(1, 'Integration name is required').max(200),
+  integrationName: z
+    .string()
+    .trim()
+    .min(1, 'Integration name is required')
+    .max(200)
+    .regex(NO_EMAIL_HEADER_CONTROL_CHARS_REGEX, 'Invalid characters'),
   email: z.string().email('A valid email is required'),
   useCase: z.string().max(2000).optional(),
 })

apps/sim/app/api/help/route.ts

@@ -10,9 +10,14 @@ import { sendEmail } from '@/lib/messaging/email/mailer'
 import { getFromEmailAddress } from '@/lib/messaging/email/utils'
 
 const logger = createLogger('HelpAPI')
+const NO_EMAIL_HEADER_CONTROL_CHARS_REGEX = /^[^\r\n]*$/
 
 const helpFormSchema = z.object({
-  subject: z.string().min(1, 'Subject is required'),
+  subject: z
+    .string()
+    .trim()
+    .min(1, 'Subject is required')
+    .regex(NO_EMAIL_HEADER_CONTROL_CHARS_REGEX, 'Invalid characters'),
   message: z.string().min(1, 'Message is required'),
   type: z.enum(['bug', 'feedback', 'feature_request', 'other']),
 })

apps/sim/lib/marketing/demo-request.ts

@@ -1,6 +1,8 @@
 import { z } from 'zod'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 
+const NO_EMAIL_HEADER_CONTROL_CHARS_REGEX = /^[^\r\n]*$/
+
 export const DEMO_REQUEST_REGION_VALUES = [
   'north_america',
   'europe',
@@ -38,8 +40,18 @@ export const DEMO_REQUEST_USER_COUNT_OPTIONS = [
 ] as const
 
 export const demoRequestSchema = z.object({
-  firstName: z.string().trim().min(1, 'First name is required').max(100),
-  lastName: z.string().trim().min(1, 'Last name is required').max(100),
+  firstName: z
+    .string()
+    .trim()
+    .min(1, 'First name is required')
+    .max(100)
+    .regex(NO_EMAIL_HEADER_CONTROL_CHARS_REGEX, 'Invalid characters'),
+  lastName: z
+    .string()
+    .trim()
+    .min(1, 'Last name is required')
+    .max(100)
+    .regex(NO_EMAIL_HEADER_CONTROL_CHARS_REGEX, 'Invalid characters'),
   companyEmail: z
     .string()
     .trim()

apps/sim/lib/messaging/email/mailer.test.ts

@@ -175,6 +175,34 @@ describe('mailer', () => {
       expect(result.success).toBe(true)
     })
 
+    it('should sanitize CRLF characters in subjects before sending', async () => {
+      const result = await sendEmail({
+        to: 'test@example.com',
+        subject: 'Hello\r\nBcc: attacker@evil.com',
+        text: 'Plain text content',
+      })
+
+      expect(result.success).toBe(true)
+      expect(mockSend).toHaveBeenCalledWith(
+        expect.objectContaining({
+          subject: 'Hello Bcc: attacker@evil.com',
+        })
+      )
+    })
+
+    it('should reject reply-to values containing header control characters', async () => {
+      const result = await sendEmail({
+        to: 'test@example.com',
+        subject: 'Test Subject',
+        text: 'Plain text content',
+        replyTo: 'user@example.com\r\nBcc: attacker@evil.com',
+      })
+
+      expect(result.success).toBe(false)
+      expect(result.message).toBe('Failed to send email')
+      expect(mockSend).not.toHaveBeenCalled()
+    })
+
     it('should handle multiple recipients as array', async () => {
       const recipients = ['user1@example.com', 'user2@example.com', 'user3@example.com']
       const result = await sendEmail({
@@ -222,6 +250,23 @@ describe('mailer', () => {
       expect(result.results.length).toBeGreaterThanOrEqual(0)
     })
 
+    it('should sanitize CRLF characters in batch email subjects', async () => {
+      await sendBatchEmails({
+        emails: [
+          {
+            ...testEmailOptions,
+            subject: 'Batch\r\nCc: attacker@evil.com',
+          },
+        ],
+      })
+
+      expect(mockBatchSend).toHaveBeenCalledWith([
+        expect.objectContaining({
+          subject: 'Batch Cc: attacker@evil.com',
+        }),
+      ])
+    })
+
     it('should handle transactional emails without unsubscribe check', async () => {
       const batchEmails = [
         { ...testEmailOptions, to: 'user1@example.com', emailType: 'transactional' as EmailType },

apps/sim/lib/messaging/email/mailer.ts

@@ -7,6 +7,7 @@ import { generateUnsubscribeToken, isUnsubscribed } from '@/lib/messaging/email/
 import { getFromEmailAddress } from '@/lib/messaging/email/utils'
 
 const logger = createLogger('Mailer')
+const EMAIL_HEADER_CONTROL_CHARS_REGEX = /[\r\n]/
 
 export type EmailType = 'transactional' | 'marketing' | 'updates' | 'notifications'
 
@@ -57,6 +58,21 @@ interface ProcessedEmailData {
   replyTo?: string
 }
 
+interface PreparedEmailHeaderData {
+  to: string | string[]
+  subject: string
+  senderEmail: string
+  replyTo?: string
+}
+
+function hasEmailHeaderControlChars(value: string): boolean {
+  return EMAIL_HEADER_CONTROL_CHARS_REGEX.test(value)
+}
+
+function sanitizeEmailSubject(subject: string): string {
+  return subject.replace(/[\r\n]+/g, ' ').trim()
+}
+
 const resendApiKey = env.RESEND_API_KEY
 const azureConnectionString = env.AZURE_ACS_CONNECTION_STRING
 
@@ -172,17 +188,14 @@ function addUnsubscribeData(
 async function processEmailData(options: EmailOptions): Promise<ProcessedEmailData> {
   const {
     to,
-    subject,
     html,
     text,
-    from,
     emailType = 'transactional',
     includeUnsubscribe = true,
     attachments,
-    replyTo,
   } = options
 
-  const senderEmail = from || getFromEmailAddress()
+  const preparedHeaders = prepareEmailHeaders(options)
 
   let finalHtml = html
   let finalText = text
@@ -197,14 +210,43 @@ async function processEmailData(options: EmailOptions): Promise<ProcessedEmailDa
   }
 
   return {
-    to,
-    subject,
+    to: preparedHeaders.to,
+    subject: preparedHeaders.subject,
     html: finalHtml,
     text: finalText,
-    senderEmail,
+    senderEmail: preparedHeaders.senderEmail,
     headers,
     attachments,
-    replyTo,
+    replyTo: preparedHeaders.replyTo,
+  }
+}
+
+function prepareEmailHeaders(options: EmailOptions): PreparedEmailHeaderData {
+  const senderEmail = options.from || getFromEmailAddress()
+  const recipients = Array.isArray(options.to) ? options.to : [options.to]
+
+  if (recipients.some(hasEmailHeaderControlChars)) {
+    throw new Error('Invalid recipient email header')
+  }
+
+  if (hasEmailHeaderControlChars(senderEmail)) {
+    throw new Error('Invalid from email header')
+  }
+
+  if (options.replyTo && hasEmailHeaderControlChars(options.replyTo)) {
+    throw new Error('Invalid reply-to email header')
+  }
+
+  const subject = sanitizeEmailSubject(options.subject)
+  if (subject.length === 0) {
+    throw new Error('Email subject cannot be empty')
+  }
+
+  return {
+    to: options.to,
+    subject,
+    senderEmail,
+    replyTo: options.replyTo,
   }
 }
 
@@ -359,11 +401,11 @@ async function sendBatchWithResend(emails: EmailOptions[]): Promise<BatchSendEma
       }
     }
 
-    const senderEmail = email.from || getFromEmailAddress()
+    const preparedHeaders = prepareEmailHeaders(email)
     const emailData: any = {
-      from: senderEmail,
-      to: email.to,
-      subject: email.subject,
+      from: preparedHeaders.senderEmail,
+      to: preparedHeaders.to,
+      subject: preparedHeaders.subject,
     }
 
     if (includeUnsubscribe && emailType !== 'transactional') {