Skip to content

fix(gmail): strip CR/LF from header values before MIME assembly#5395

Merged
waleedlatif1 merged 2 commits into
stagingfrom
fix/gmail-header-crlf
Jul 3, 2026
Merged

fix(gmail): strip CR/LF from header values before MIME assembly#5395
waleedlatif1 merged 2 commits into
stagingfrom
fix/gmail-header-crlf

Conversation

@waleedlatif1

Copy link
Copy Markdown
Collaborator

Summary

  • buildSimpleEmailMessage and buildMimeMessage now sanitize to, cc, bcc, subject, inReplyTo, references, and the attachment filename before placing them into MIME header lines
  • Adds a shared sanitizeHeaderValue helper (alongside encodeRfc2047/escapeHtml) that collapses embedded CR/LF to a single space
  • Added test coverage for CR/LF-containing values on every affected field, plus regression coverage for normal ASCII/Unicode/multi-recipient values

Type of Change

  • Bug fix

Testing

  • bunx vitest run apps/sim/tools/gmail/utils.test.ts — 28 passed
  • bunx tsc --noEmit clean on touched file
  • bunx biome check clean
  • bun run check:api-validation passed

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Adds sanitizeHeaderValue and applies it to to/cc/bcc/subject/
inReplyTo/references and the attachment filename in
buildSimpleEmailMessage and buildMimeMessage before they're placed
into MIME header lines.
@vercel

vercel Bot commented Jul 3, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Jul 3, 2026 9:20pm

Request Review

@cursor

cursor Bot commented Jul 3, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Security-sensitive email-sending path; behavior change is narrow (newline stripping) but affects all outbound Gmail MIME built through these helpers.

Overview
Closes a MIME header injection hole where embedded \r/\n in user-supplied fields could split the raw message and add extra headers (e.g. a hidden Bcc:).

Adds sanitizeHeaderValue, which collapses any CR/LF runs to a single space, and applies it in buildSimpleEmailMessage and buildMimeMessage for to, cc, bcc, subject, inReplyTo, references, and attachment filename / mimeType before those values are written into header lines. buildMimeMessage also sanitizes threading fields before building References.

Tests cover the helper, injection-style cases on every affected field, and regressions for normal ASCII, Unicode, and multi-recipient values.

Reviewed by Cursor Bugbot for commit b138317. Configure here.

@greptile-apps

greptile-apps Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR hardens the Gmail MIME assembly utilities against header-injection attacks by introducing a sanitizeHeaderValue helper that collapses embedded CR/LF sequences to a single space, then applies it to every user-supplied value that lands in a raw MIME header line.

  • sanitizeHeaderValue helper added alongside encodeRfc2047/escapeHtml; the regex /[\r\n]+/g correctly collapses bare \r, bare \n, and \r\n (including repeated sequences) to a single space.
  • buildSimpleEmailMessage and buildMimeMessage both now sanitize to, cc, bcc, subject, inReplyTo, references, attachment filename, and attachment mimeType before placing them into MIME header lines.
  • Test coverage is thorough: unit tests for the new helper, and integration-style tests verifying that injected \r\n values in every affected field do not produce extra header lines in the assembled message.

Confidence Score: 5/5

The change is safe to merge — it applies a focused, low-risk sanitization step to user-supplied MIME header values in two utility functions, with no side effects on the rest of the codebase.

All user-controlled fields that land in MIME header lines are now passed through sanitizeHeaderValue before interpolation. The helper itself is a single-line regex replace with no error paths. Test coverage is comprehensive and directly verifies the injection scenarios.

No files require special attention — both changed files are small, focused, and well-tested.

Important Files Changed

Filename Overview
apps/sim/tools/gmail/utils.ts Adds sanitizeHeaderValue helper and applies it to all user-controlled MIME header fields in both buildSimpleEmailMessage and buildMimeMessage, including attachment mimeType and filename. Change is minimal, targeted, and correct.
apps/sim/tools/gmail/utils.test.ts Adds unit tests for sanitizeHeaderValue (bare CR, bare LF, CRLF, consecutive newlines, clean values) and injection regression tests for every affected header field in both buildSimpleEmailMessage and buildMimeMessage, including mimeType.

Reviews (4): Last reviewed commit: "fix(gmail): sanitize attachment mimeType..." | Re-trigger Greptile

Comment thread apps/sim/tools/gmail/utils.ts Outdated
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

attachment.mimeType was written verbatim into the Content-Type header,
unlike the other header fields this PR sanitizes. Route it through the
same sanitizeHeaderValue helper for consistency.
@waleedlatif1 waleedlatif1 force-pushed the fix/gmail-header-crlf branch from 8d94ec7 to b138317 Compare July 3, 2026 21:20
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 8d94ec7. Configure here.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit b138317. Configure here.

@waleedlatif1 waleedlatif1 merged commit fd98218 into staging Jul 3, 2026
13 checks passed
@waleedlatif1 waleedlatif1 deleted the fix/gmail-header-crlf branch July 3, 2026 21:25
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant