mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-16 14:49:09 +02:00
Follow-up to #1126 (which closed the HTML-injection vector in the Body). The Subject line is not HTML-rendered, so html.EscapeString would leak literal entities into recipient inboxes. Instead: - Strip control characters from workspace/inviter names (defense in depth even though Resend also filters CR/LF). - Cap each field at 60 runes so an attacker can't stuff a full phishing pitch into a workspace name that gets sent from noreply@multica.ai. Also extracts buildInvitationParams to make the sanitization logic testable without mocking the Resend SDK, and adds a test covering: - HTML escape behavior for script/attribute/anchor injection payloads - Subject stripping of \r\n\t and other unicode controls - Subject NOT being HTML-escaped (so "Acme & Co." stays literal) - Subject length bounds - Benign inputs pass through unchanged Adds a note on SendVerificationCode that its body uses only server-generated content, to prevent the same pitfall from creeping in. Refs #1117
135 lines
4.6 KiB
Go
135 lines
4.6 KiB
Go
package service
|
|
|
|
import (
|
|
"fmt"
|
|
"html"
|
|
"os"
|
|
"strings"
|
|
"unicode"
|
|
"unicode/utf8"
|
|
|
|
"github.com/resend/resend-go/v2"
|
|
)
|
|
|
|
// maxSubjectFieldRunes bounds how much user-controlled text (workspace name,
|
|
// inviter name) can land in an email Subject. Prevents attackers from stuffing
|
|
// a full phishing pitch into a workspace name that gets sent from our domain.
|
|
const maxSubjectFieldRunes = 60
|
|
|
|
type EmailService struct {
|
|
client *resend.Client
|
|
fromEmail string
|
|
}
|
|
|
|
func NewEmailService() *EmailService {
|
|
apiKey := os.Getenv("RESEND_API_KEY")
|
|
from := os.Getenv("RESEND_FROM_EMAIL")
|
|
if from == "" {
|
|
from = "noreply@multica.ai"
|
|
}
|
|
|
|
var client *resend.Client
|
|
if apiKey != "" {
|
|
client = resend.NewClient(apiKey)
|
|
}
|
|
|
|
return &EmailService{
|
|
client: client,
|
|
fromEmail: from,
|
|
}
|
|
}
|
|
|
|
// SendVerificationCode sends a one-time login code. The code is server-generated
|
|
// (6-digit numeric) so no user-controlled text reaches the email body here.
|
|
// If that ever changes, escape the user-controlled fields the same way
|
|
// SendInvitationEmail does.
|
|
func (s *EmailService) SendVerificationCode(to, code string) error {
|
|
if s.client == nil {
|
|
fmt.Printf("[DEV] Verification code for %s: %s\n", to, code)
|
|
return nil
|
|
}
|
|
|
|
params := &resend.SendEmailRequest{
|
|
From: s.fromEmail,
|
|
To: []string{to},
|
|
Subject: "Your Multica verification code",
|
|
Html: fmt.Sprintf(
|
|
`<div style="font-family: sans-serif; max-width: 400px; margin: 0 auto;">
|
|
<h2>Your verification code</h2>
|
|
<p style="font-size: 32px; font-weight: bold; letter-spacing: 8px; margin: 24px 0;">%s</p>
|
|
<p>This code expires in 10 minutes.</p>
|
|
<p style="color: #666; font-size: 14px;">If you didn't request this code, you can safely ignore this email.</p>
|
|
</div>`, code),
|
|
}
|
|
|
|
_, err := s.client.Emails.Send(params)
|
|
return err
|
|
}
|
|
|
|
// SendInvitationEmail notifies the invitee that they have been invited to a workspace.
|
|
// invitationID is included in the URL so the email deep-links to /invite/{id}.
|
|
func (s *EmailService) SendInvitationEmail(to, inviterName, workspaceName, invitationID string) error {
|
|
appURL := strings.TrimSpace(os.Getenv("FRONTEND_ORIGIN"))
|
|
if appURL == "" {
|
|
appURL = "https://app.multica.ai"
|
|
}
|
|
inviteURL := fmt.Sprintf("%s/invite/%s", appURL, invitationID)
|
|
|
|
if s.client == nil {
|
|
fmt.Printf("[DEV] Invitation email to %s: %s invited you to %s — %s\n", to, inviterName, workspaceName, inviteURL)
|
|
return nil
|
|
}
|
|
|
|
params := buildInvitationParams(s.fromEmail, to, inviterName, workspaceName, inviteURL)
|
|
_, err := s.client.Emails.Send(params)
|
|
return err
|
|
}
|
|
|
|
// buildInvitationParams assembles the Resend request for an invitation email.
|
|
// Separated from SendInvitationEmail so the sanitization behavior is unit-testable
|
|
// without needing to mock the Resend SDK.
|
|
func buildInvitationParams(from, to, inviterName, workspaceName, inviteURL string) *resend.SendEmailRequest {
|
|
safeWorkspace := html.EscapeString(workspaceName)
|
|
safeInviter := html.EscapeString(inviterName)
|
|
subjectInviter := sanitizeSubjectField(inviterName)
|
|
subjectWorkspace := sanitizeSubjectField(workspaceName)
|
|
|
|
return &resend.SendEmailRequest{
|
|
From: from,
|
|
To: []string{to},
|
|
Subject: fmt.Sprintf("%s invited you to %s on Multica", subjectInviter, subjectWorkspace),
|
|
Html: fmt.Sprintf(
|
|
`<div style="font-family: sans-serif; max-width: 480px; margin: 0 auto;">
|
|
<h2>You're invited to join %s</h2>
|
|
<p><strong>%s</strong> invited you to collaborate in the <strong>%s</strong> workspace on Multica.</p>
|
|
<p style="margin: 24px 0;">
|
|
<a href="%s" style="display: inline-block; padding: 12px 24px; background: #000; color: #fff; text-decoration: none; border-radius: 6px; font-weight: 500;">Accept invitation</a>
|
|
</p>
|
|
<p style="color: #666; font-size: 14px;">You'll need to log in to accept or decline the invitation.</p>
|
|
</div>`, safeWorkspace, safeInviter, safeWorkspace, inviteURL),
|
|
}
|
|
}
|
|
|
|
// sanitizeSubjectField prepares user-controlled text for the email Subject line.
|
|
// Subject is not HTML-rendered, so HTML-escaping would leak literal entities
|
|
// (e.g. <script>) into the recipient's inbox. Instead strip control
|
|
// characters (defense in depth against header-injection-adjacent abuse even
|
|
// though Resend also filters CR/LF) and cap length so attackers can't stuff
|
|
// a full phishing subject into a workspace name.
|
|
func sanitizeSubjectField(s string) string {
|
|
var b strings.Builder
|
|
b.Grow(len(s))
|
|
for _, r := range s {
|
|
if unicode.IsControl(r) {
|
|
continue
|
|
}
|
|
b.WriteRune(r)
|
|
}
|
|
cleaned := b.String()
|
|
if utf8.RuneCountInString(cleaned) <= maxSubjectFieldRunes {
|
|
return cleaned
|
|
}
|
|
runes := []rune(cleaned)
|
|
return string(runes[:maxSubjectFieldRunes-1]) + "…"
|
|
}
|