search

reallyreadit / api

The Readup API server.
GNU Affero General Public License v3.0
0 stars 0 forks source link

Accounts with invalid emails can be created #8

Open th0rgall opened 2 years ago

th0rgall commented 2 years ago

Example: asdjfsdk;@diafj.com, with the invalid ; character.

This leads to errors like the following when the API server tries to send mail:

[00:31:35 INF] Request starting HTTP/1.0 POST http://readup-api:5000/Social/Post application/json 72
[00:31:35 INF] Authorization was successful.
[00:31:35 INF] Executing endpoint 'api.Controllers.Social.SocialController.Post (api)'
[00:31:35 INF] Route matched with {action = "Post", controller = "Social"}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] Post(api.Encryption.ObfuscationService, api.Notifications.NotificationService, api.Commenting.CommentingService, api.Controllers.Social.PostForm) on controller api.Controllers.Social.SocialController (api).
[00:31:35 INF] Executing JsonResult, writing value of type 'api.Controllers.Social.Post'.
[00:31:35 ERR] Error occurred executing workItem.
MimeKit.ParseException: Invalid addr-spec token at offset 0
   at MimeKit.InternetAddress.TryParseAddrspec(Byte[] text, Int32& index, Int32 endIndex, Byte[] sentinels, Boolean throwOnError, String& addrspec, Int32& at)
   at MimeKit.MailboxAddress.set_Address(String value)
   at MimeKit.MailboxAddress..ctor(Encoding encoding, String name, String address)
   at MimeKit.MailboxAddress..ctor(String name, String address)
   at api.Messaging.SmtpEmailService.Send(EmailMessage[] messages) in /api/src/Messaging/SmtpEmailService.cs:line 51
   at api.Messaging.EmailService.<>c__DisplayClass9_0`1.<<Send>b__1>d.MoveNext() in /api/src/Messaging/EmailService.cs:line 105
--- End of stack trace from previous location where exception was thrown ---
   at api.BackgroundProcessing.QueuedHostedService.BackgroundProcessing(CancellationToken stoppingToken) in /api/src/BackgroundProcessing/QueuedHostedService.cs:line 42
[00:31:36 INF] Executed action api.Controllers.Social.SocialController.Post (api) in 687.685ms
[00:31:36 INF] Executed endpoint 'api.Controllers.Social.SocialController.Post (api)'
[00:31:36 INF] Request finished in 704.1157ms 200 application/json; charset=utf-8

The Invalid addr-spec token at offset 0 being the critical issue here.

jacamera commented 2 years ago

I don't think "Accounts with invalid emails can be created" is actually a problem that we want to solve. Validating email addresses is non-trivial: https://stackoverflow.com/questions/20771794/mailrfc822address-regex

I think we should probably instead catch these exceptions when sending and perhaps block future sending to the offending address. We already have the ability to block certain email addresses when a mail server sends us a spam or bounce report so I think we should be able to reuse that same system to block sending to invalid addresses.