Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhancement: make client sided validation optional, turning off address validation and CRLF injection detection #390

Closed
jllanes3 opened this issue Mar 19, 2022 · 3 comments

Comments

@jllanes3
Copy link

The library performs client side validation and fails client side if any of those validations fail (opinionated client). For example, library will fail if the scanForInjectionAttack(...) in MailerHelper.java throws an exception if client passes a subject with containing a \n string. The same applies to many other cases even on the email address format.

Whereas this is "good" thing to have in general, some client have uses cases where a lot of this sanitation and error handling is done server side (server helps clients in some sense).

Detecting on client side is excellent, but failing to send is a huge back-compat issue for clients moving to use this library, but whose server has traditionally done most of the checks/cleanups up to now (i.e. server accepts a subject with a \n and sanitizes for clients).

This can trigger failures on client side that were not there before and that the server was handling up to now, and client ends up with emails that simply cannot be sent using this library, whereas before they could be sent with the issues present.

The ask is to expose the validator as a class that clients can run on their own to detect this issues and fix them reactively, while also allowing them to disable such validation when sending the email to the server so that emails can continue to flow to a server that accepted them before.

@bbottema
Copy link
Owner

bbottema commented Mar 20, 2022

Fair point, I think offering API to reduce the strictness sounds reasonable. With the address validation this is already possible and in the past I've already made previously-mandatory fields optional, but CRLF detection is not optional. Is that the only thing thing left?

Providing api to fix emails seems backwards to me though. You can make sure to build a proper email before trying to send it with Simple Java Mail. As a library user you are completely free to fix that, the CRLF exceptions are a different matter and could be made to only log warnings (or ignore completely).

@jllanes3
Copy link
Author

I would say that any client side validation can be troublesome for existing applications trying to move to use this library, specially if the server is not owned by such apps, and has accepted certain inputs before (helped clients), and the content is not owned by the apps either.

I think this entire class should be thought off in the same category (using 6.6.1 references):
MailerHelper.java

It does:

  • recipient validations
  • subject validations
  • header validations
  • email address validations (I think this one is optional)
  • etc.

I think its great to have visibility into this, but failing to send is the trouble I have because there is not way to recover from it other than reverting back to older library or "trying" to help with the input, which an application may have zero control over (they don't own the input and may have allowed bad input to go through and servers accepted).

@bbottema bbottema removed this from the 7.2.0 milestone Jul 13, 2022
@bbottema bbottema changed the title Enable client side email validation as optional. Expose email validator as a utility class. Enhancement: make client sided validation optional, turning off address validation and CRLF injection detection Jul 28, 2022
bbottema added a commit that referenced this issue Jul 28, 2022
@bbottema bbottema added this to the 7.5.0 milestone Jul 28, 2022
@bbottema
Copy link
Owner

Released in 7.5.0.

You can now disabled client-side validation (which override any email address configuration), like so:

currentMailerBuilder.disablingAllClientValidation(true);

Not that this disables address validation and CRLF injection scans, but completeness checks are still performed. But unless you use the API wrong, this should never trigger and exception.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants