Files
multica/server/internal/service/email.go
Bohan Jiang a71aa6c544 fix(email): sanitize invitation Subject and lock behavior with tests (#1140)
Follow-up to #1126 (which closed the HTML-injection vector in the Body).

The Subject line is not HTML-rendered, so html.EscapeString would leak
literal entities into recipient inboxes. Instead:

- Strip control characters from workspace/inviter names (defense in depth
  even though Resend also filters CR/LF).
- Cap each field at 60 runes so an attacker can't stuff a full phishing
  pitch into a workspace name that gets sent from noreply@multica.ai.

Also extracts buildInvitationParams to make the sanitization logic
testable without mocking the Resend SDK, and adds a test covering:
  - HTML escape behavior for script/attribute/anchor injection payloads
  - Subject stripping of \r\n\t and other unicode controls
  - Subject NOT being HTML-escaped (so "Acme & Co." stays literal)
  - Subject length bounds
  - Benign inputs pass through unchanged

Adds a note on SendVerificationCode that its body uses only
server-generated content, to prevent the same pitfall from creeping in.

Refs #1117
2026-04-16 13:02:12 +08:00

135 lines
4.6 KiB
Go

package service
import (
"fmt"
"html"
"os"
"strings"
"unicode"
"unicode/utf8"
"github.com/resend/resend-go/v2"
)
// maxSubjectFieldRunes bounds how much user-controlled text (workspace name,
// inviter name) can land in an email Subject. Prevents attackers from stuffing
// a full phishing pitch into a workspace name that gets sent from our domain.
const maxSubjectFieldRunes = 60
type EmailService struct {
client *resend.Client
fromEmail string
}
func NewEmailService() *EmailService {
apiKey := os.Getenv("RESEND_API_KEY")
from := os.Getenv("RESEND_FROM_EMAIL")
if from == "" {
from = "noreply@multica.ai"
}
var client *resend.Client
if apiKey != "" {
client = resend.NewClient(apiKey)
}
return &EmailService{
client: client,
fromEmail: from,
}
}
// SendVerificationCode sends a one-time login code. The code is server-generated
// (6-digit numeric) so no user-controlled text reaches the email body here.
// If that ever changes, escape the user-controlled fields the same way
// SendInvitationEmail does.
func (s *EmailService) SendVerificationCode(to, code string) error {
if s.client == nil {
fmt.Printf("[DEV] Verification code for %s: %s\n", to, code)
return nil
}
params := &resend.SendEmailRequest{
From: s.fromEmail,
To: []string{to},
Subject: "Your Multica verification code",
Html: fmt.Sprintf(
`<div style="font-family: sans-serif; max-width: 400px; margin: 0 auto;">
<h2>Your verification code</h2>
<p style="font-size: 32px; font-weight: bold; letter-spacing: 8px; margin: 24px 0;">%s</p>
<p>This code expires in 10 minutes.</p>
<p style="color: #666; font-size: 14px;">If you didn't request this code, you can safely ignore this email.</p>
</div>`, code),
}
_, err := s.client.Emails.Send(params)
return err
}
// SendInvitationEmail notifies the invitee that they have been invited to a workspace.
// invitationID is included in the URL so the email deep-links to /invite/{id}.
func (s *EmailService) SendInvitationEmail(to, inviterName, workspaceName, invitationID string) error {
appURL := strings.TrimSpace(os.Getenv("FRONTEND_ORIGIN"))
if appURL == "" {
appURL = "https://app.multica.ai"
}
inviteURL := fmt.Sprintf("%s/invite/%s", appURL, invitationID)
if s.client == nil {
fmt.Printf("[DEV] Invitation email to %s: %s invited you to %s — %s\n", to, inviterName, workspaceName, inviteURL)
return nil
}
params := buildInvitationParams(s.fromEmail, to, inviterName, workspaceName, inviteURL)
_, err := s.client.Emails.Send(params)
return err
}
// buildInvitationParams assembles the Resend request for an invitation email.
// Separated from SendInvitationEmail so the sanitization behavior is unit-testable
// without needing to mock the Resend SDK.
func buildInvitationParams(from, to, inviterName, workspaceName, inviteURL string) *resend.SendEmailRequest {
safeWorkspace := html.EscapeString(workspaceName)
safeInviter := html.EscapeString(inviterName)
subjectInviter := sanitizeSubjectField(inviterName)
subjectWorkspace := sanitizeSubjectField(workspaceName)
return &resend.SendEmailRequest{
From: from,
To: []string{to},
Subject: fmt.Sprintf("%s invited you to %s on Multica", subjectInviter, subjectWorkspace),
Html: fmt.Sprintf(
`<div style="font-family: sans-serif; max-width: 480px; margin: 0 auto;">
<h2>You're invited to join %s</h2>
<p><strong>%s</strong> invited you to collaborate in the <strong>%s</strong> workspace on Multica.</p>
<p style="margin: 24px 0;">
<a href="%s" style="display: inline-block; padding: 12px 24px; background: #000; color: #fff; text-decoration: none; border-radius: 6px; font-weight: 500;">Accept invitation</a>
</p>
<p style="color: #666; font-size: 14px;">You'll need to log in to accept or decline the invitation.</p>
</div>`, safeWorkspace, safeInviter, safeWorkspace, inviteURL),
}
}
// sanitizeSubjectField prepares user-controlled text for the email Subject line.
// Subject is not HTML-rendered, so HTML-escaping would leak literal entities
// (e.g. &lt;script&gt;) into the recipient's inbox. Instead strip control
// characters (defense in depth against header-injection-adjacent abuse even
// though Resend also filters CR/LF) and cap length so attackers can't stuff
// a full phishing subject into a workspace name.
func sanitizeSubjectField(s string) string {
var b strings.Builder
b.Grow(len(s))
for _, r := range s {
if unicode.IsControl(r) {
continue
}
b.WriteRune(r)
}
cleaned := b.String()
if utf8.RuneCountInString(cleaned) <= maxSubjectFieldRunes {
return cleaned
}
runes := []rune(cleaned)
return string(runes[:maxSubjectFieldRunes-1]) + "…"
}