Merge branch 'master' into apple-oidc-callback-csrf

ory · Nov 29, 2023 · ef22a12 · ef22a12
2 parents 7f8691e + 7c0e02e
commit ef22a12
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,7 @@
 
 **Table of Contents**
 
-- [ (2023-11-22)](#2023-11-22)
+- [ (2023-11-29)](#2023-11-29)
   - [Breaking Changes](#breaking-changes)
     - [Bug Fixes](#bug-fixes)
     - [Documentation](#documentation)
@@ -314,7 +314,7 @@
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
-# [](https://github.com/ory/kratos/compare/v1.0.0...v) (2023-11-22)
+# [](https://github.com/ory/kratos/compare/v1.0.0...v) (2023-11-29)
 
 ## Breaking Changes
 
@@ -533,6 +533,8 @@ https://github.com/ory/kratos/pull/3480
 
   - chore: refactor
 
+- Panic in recovery ([#3639](https://github.com/ory/kratos/issues/3639))
+  ([c25ddff](https://github.com/ory/kratos/commit/c25ddffd2270a8d0861e2fc78cd0ba26e63af4eb))
 - Pass context ([#3452](https://github.com/ory/kratos/issues/3452))
   ([c492bdc](https://github.com/ory/kratos/commit/c492bdcd0c5dbdf527ae523d879a6c1eeb9c4cdf))
 - Properly normalize OIDC verified emails
@@ -584,6 +586,8 @@ https://github.com/ory/kratos/pull/3480
 - Registration with verification
   ([#3451](https://github.com/ory/kratos/issues/3451))
   ([77c3196](https://github.com/ory/kratos/commit/77c3196fd60c5927b84e9a7f6546f80ac2d78ee5))
+- Reject obviously invalid email addresses from courier
+  ([8cb9e4c](https://github.com/ory/kratos/commit/8cb9e4cae9dffd4c25d52920186f9c5fbe2bd0fe))
 - Remove `earliest_possible_extend` default in schema
   ([#3464](https://github.com/ory/kratos/issues/3464))
   ([7e05b7d](https://github.com/ory/kratos/commit/7e05b7db3c01efc96185ac18042e971e33da37c8))

diff --git a/courier/smtp.go b/courier/smtp.go
@@ -8,6 +8,7 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
+	"net/mail"
 	"net/textproto"
 	"strconv"
 	"time"
@@ -118,6 +119,9 @@ func (c *courier) QueueEmail(ctx context.Context, t EmailTemplate) (uuid.UUID, e
 	if err != nil {
 		return uuid.Nil, err
 	}
+	if _, err := mail.ParseAddress(recipient); err != nil {
+		return uuid.Nil, err
+	}
 
 	subject, err := t.EmailSubject(ctx)
 	if err != nil {

diff --git a/courier/smtp_test.go b/courier/smtp_test.go
@@ -8,6 +8,7 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
+	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"flag"
@@ -19,8 +20,6 @@ import (
 	"testing"
 	"time"
 
-	"crypto/x509"
-
 	"github.com/gofrs/uuid"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -55,21 +54,21 @@ func TestNewSMTP(t *testing.T) {
 		t.SkipNow()
 	}
 
-	//Should enforce StartTLS => dialer.StartTLSPolicy = gomail.MandatoryStartTLS and dialer.SSL = false
+	// Should enforce StartTLS => dialer.StartTLSPolicy = gomail.MandatoryStartTLS and dialer.SSL = false
 	smtp := setupCourier("smtp://foo:bar@my-server:1234/")
 	assert.Equal(t, smtp.SmtpDialer().StartTLSPolicy, gomail.MandatoryStartTLS, "StartTLS not enforced")
 	assert.Equal(t, smtp.SmtpDialer().SSL, false, "Implicit TLS should not be enabled")
 
-	//Should enforce TLS => dialer.SSL = true
+	// Should enforce TLS => dialer.SSL = true
 	smtp = setupCourier("smtps://foo:bar@my-server:1234/")
 	assert.Equal(t, smtp.SmtpDialer().SSL, true, "Implicit TLS should be enabled")
 
-	//Should allow cleartext => dialer.StartTLSPolicy = gomail.OpportunisticStartTLS and dialer.SSL = false
+	// Should allow cleartext => dialer.StartTLSPolicy = gomail.OpportunisticStartTLS and dialer.SSL = false
 	smtp = setupCourier("smtp://foo:bar@my-server:1234/?disable_starttls=true")
 	assert.Equal(t, smtp.SmtpDialer().StartTLSPolicy, gomail.OpportunisticStartTLS, "StartTLS is enforced")
 	assert.Equal(t, smtp.SmtpDialer().SSL, false, "Implicit TLS should not be enabled")
 
-	//Test cert based SMTP client auth
+	// Test cert based SMTP client auth
 	clientCert, clientKey, err := generateTestClientCert()
 	require.NoError(t, err)
 	defer os.Remove(clientCert.Name())
@@ -88,8 +87,8 @@ func TestNewSMTP(t *testing.T) {
 	assert.Equal(t, smtpWithCert.SmtpDialer().TLSConfig.ServerName, "my-server", "TLS config server name should match")
 	assert.Contains(t, smtpWithCert.SmtpDialer().TLSConfig.Certificates, clientPEM, "TLS config should contain client pem")
 
-	//error case: invalid client key
-	conf.Set(ctx, config.ViperKeyCourierSMTPClientKeyPath, clientCert.Name()) //mixup client key and client cert
+	// error case: invalid client key
+	conf.Set(ctx, config.ViperKeyCourierSMTPClientKeyPath, clientCert.Name()) // mixup client key and client cert
 	smtpWithCert = setupCourier("smtps://subdomain.my-server:1234/?server_name=my-server")
 	assert.Equal(t, len(smtpWithCert.SmtpDialer().TLSConfig.Certificates), 0, "TLS config certificates should be empty")
 }
@@ -117,6 +116,13 @@ func TestQueueEmail(t *testing.T) {
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 
+	_, err = c.QueueEmail(ctx, templates.NewTestStub(reg, &templates.TestStubModel{
+		To:      "invalid-email",
+		Subject: "test-subject-1",
+		Body:    "test-body-1",
+	}))
+	require.Error(t, err)
+
 	id, err := c.QueueEmail(ctx, templates.NewTestStub(reg, &templates.TestStubModel{
 		To:      "[email protected]",
 		Subject: "test-subject-1",