extract shared email header safety regex

Co-authored-by: Theodore Li <TheodoreSpeaks@users.noreply.github.com>

Author: cursoragent

apps/sim/app/api/help/integration-request/route.ts

@@ -6,11 +6,11 @@ import type { TokenBucketConfig } from '@/lib/core/rate-limiter'
 import { RateLimiter } from '@/lib/core/rate-limiter'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getEmailDomain } from '@/lib/core/utils/urls'
+import { NO_EMAIL_HEADER_CONTROL_CHARS_REGEX } from '@/lib/messaging/email/header-safety'
 import { sendEmail } from '@/lib/messaging/email/mailer'
 import { getFromEmailAddress } from '@/lib/messaging/email/utils'
 
 const logger = createLogger('IntegrationRequestAPI')
-const NO_EMAIL_HEADER_CONTROL_CHARS_REGEX = /^[^\r\n]*$/
 
 const rateLimiter = new RateLimiter()
 

apps/sim/app/api/help/route.ts

@@ -6,11 +6,11 @@ import { getSession } from '@/lib/auth'
 import { env } from '@/lib/core/config/env'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getEmailDomain } from '@/lib/core/utils/urls'
+import { NO_EMAIL_HEADER_CONTROL_CHARS_REGEX } from '@/lib/messaging/email/header-safety'
 import { sendEmail } from '@/lib/messaging/email/mailer'
 import { getFromEmailAddress } from '@/lib/messaging/email/utils'
 
 const logger = createLogger('HelpAPI')
-const NO_EMAIL_HEADER_CONTROL_CHARS_REGEX = /^[^\r\n]*$/
 
 const helpFormSchema = z.object({
   subject: z

apps/sim/lib/marketing/demo-request.ts

@@ -1,7 +1,6 @@
 import { z } from 'zod'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
-
-const NO_EMAIL_HEADER_CONTROL_CHARS_REGEX = /^[^\r\n]*$/
+import { NO_EMAIL_HEADER_CONTROL_CHARS_REGEX } from '@/lib/messaging/email/header-safety'
 
 export const DEMO_REQUEST_REGION_VALUES = [
   'north_america',

apps/sim/lib/messaging/email/header-safety.test.ts

@@ -0,0 +1,27 @@
+/**
+ * @vitest-environment node
+ */
+import { describe, expect, it } from 'vitest'
+import {
+  EMAIL_HEADER_CONTROL_CHARS_REGEX,
+  hasEmailHeaderControlChars,
+  NO_EMAIL_HEADER_CONTROL_CHARS_REGEX,
+} from '@/lib/messaging/email/header-safety'
+
+describe('email header safety', () => {
+  it('rejects CRLF characters consistently', () => {
+    const injectedHeader = 'Hello\r\nBcc: attacker@example.com'
+
+    expect(EMAIL_HEADER_CONTROL_CHARS_REGEX.test(injectedHeader)).toBe(true)
+    expect(hasEmailHeaderControlChars(injectedHeader)).toBe(true)
+    expect(NO_EMAIL_HEADER_CONTROL_CHARS_REGEX.test(injectedHeader)).toBe(false)
+  })
+
+  it('allows plain header content', () => {
+    const safeHeader = 'Product feedback'
+
+    expect(EMAIL_HEADER_CONTROL_CHARS_REGEX.test(safeHeader)).toBe(false)
+    expect(hasEmailHeaderControlChars(safeHeader)).toBe(false)
+    expect(NO_EMAIL_HEADER_CONTROL_CHARS_REGEX.test(safeHeader)).toBe(true)
+  })
+})

apps/sim/lib/messaging/email/header-safety.ts

@@ -0,0 +1,7 @@
+export const EMAIL_HEADER_CONTROL_CHARS_REGEX = /[\r\n]/
+
+export const NO_EMAIL_HEADER_CONTROL_CHARS_REGEX = /^[^\r\n]*$/
+
+export function hasEmailHeaderControlChars(value: string): boolean {
+  return EMAIL_HEADER_CONTROL_CHARS_REGEX.test(value)
+}

apps/sim/lib/messaging/email/mailer.ts

@@ -3,11 +3,11 @@ import { createLogger } from '@sim/logger'
 import { Resend } from 'resend'
 import { env } from '@/lib/core/config/env'
 import { getBaseUrl } from '@/lib/core/utils/urls'
+import { hasEmailHeaderControlChars } from '@/lib/messaging/email/header-safety'
 import { generateUnsubscribeToken, isUnsubscribed } from '@/lib/messaging/email/unsubscribe'
 import { getFromEmailAddress } from '@/lib/messaging/email/utils'
 
 const logger = createLogger('Mailer')
-const EMAIL_HEADER_CONTROL_CHARS_REGEX = /[\r\n]/
 
 export type EmailType = 'transactional' | 'marketing' | 'updates' | 'notifications'
 
@@ -65,10 +65,6 @@ interface PreparedEmailHeaderData {
   replyTo?: string
 }
 
-function hasEmailHeaderControlChars(value: string): boolean {
-  return EMAIL_HEADER_CONTROL_CHARS_REGEX.test(value)
-}
-
 function sanitizeEmailSubject(subject: string): string {
   return subject.replace(/[\r\n]+/g, ' ').trim()
 }