search

sapphiregaze / discord-verification

Frontend application used to automates discord member email verification.
MIT License
1 stars 1 forks source link

Email injection vulnerability through nodemailer #7

Closed sapphiregaze closed 1 year ago

sapphiregaze commented 1 year ago

Description

Nodemailer can take multiple emails as argument, if a malicious user were to enter 

FAKE@ACCEPTED-DOMAIN@, REAL@UNACCEPTED-DOMAIN

in the email input of the initial-modal, it would bypass the domain checks due to improper input sanitation as it would send email to both the invalid fake email as well as the real email from an unverified source, providing the verification code to the malicious user.

Affected Files

index.js

Potential Fix

Sanitize the input to ensure only 1 email with a valid domain is passed in as email input with 

const userEmail = emailInput.split('@')[0] + emailInput.split('@')[1];

or importing and utilizing a sanitation library.

sapphiregaze commented 1 year ago

Fix potential unicode injection to bypass filter.