Escape password in smtp url (projectdiscovery#258)

* chore(deps): bump golang.org/x/net Bumps [golang.org/x/net](https://github.com/golang/net) from 0.0.0-20220909164309-bea034e7d591 to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](https://github.com/golang/net/commits/v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * ✅ Add failing test when password contains `#` Refactor smtp.Send by extracting the build of url to better test this part * 🐛 Escape password to return valid url --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Mzack9999 <mzack9999@protonmail.com>
fopina · May 27, 2023 · a3e1e00 · a3e1e00
1 parent 258ca0a
commit a3e1e00
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 4 deletions.
diff --git a/pkg/providers/smtp/smtp.go b/pkg/providers/smtp/smtp.go
@@ -2,6 +2,7 @@ package smtp
 
 import (
 	"fmt"
+	"net/url"
 	"strconv"
 	"strings"
 
@@ -46,15 +47,16 @@ func New(options []*Options, ids []string) (*Provider, error) {
 	return provider, nil
 }
 
+func buildUrl(o *Options) string {
+	return fmt.Sprintf("smtp://%s:%s@%s/?fromAddress=%s&toAddresses=%s&subject=%s&UseHTML=%s&UseStartTLS=%s", o.Username, url.QueryEscape(o.Password), o.Server, o.FromAddress, strings.Join(o.SMTPCC, ","), o.Subject, strconv.FormatBool(o.HTML), strconv.FormatBool(!o.DisableStartTLS))
+}
+
 func (p *Provider) Send(message, CliFormat string) error {
 	var SmtpErr error
 	p.counter++
 	for _, pr := range p.SMTP {
 		msg := utils.FormatMessage(message, utils.SelectFormat(CliFormat, pr.SMTPFormat), p.counter)
-		url := fmt.Sprintf(
-			"smtp://%s:%s@%s/?fromAddress=%s&toAddresses=%s&subject=%s&UseHTML=%s&UseStartTLS=%s",
-			pr.Username, pr.Password, pr.Server, pr.FromAddress, strings.Join(pr.SMTPCC, ","), pr.Subject, strconv.FormatBool(pr.HTML), strconv.FormatBool(!pr.DisableStartTLS),
-		)
+		url := buildUrl(pr)
 		err := shoutrrr.Send(url, msg)
 		if err != nil {
 			err = errors.Wrap(err, fmt.Sprintf("failed to send smtp notification for id: %s ", pr.ID))

diff --git a/pkg/providers/smtp/smtp_test.go b/pkg/providers/smtp/smtp_test.go
@@ -0,0 +1,33 @@
+package smtp
+
+import (
+	"net/url"
+	"testing"
+)
+
+// TestBuildUrl checks the output of buildUrl is valid and parsable by url.Parse
+func TestBuildUrl(t *testing.T) {
+	options := &Options{
+		Server:      "mail.example.com",
+		Username:    "test@example.com",
+		Password:    "password",
+		FromAddress: "from@email.com",
+		SMTPCC:      []string{"to@email.com"},
+		Subject:     "Email subject",
+	}
+	t.Run("with provider config example", func(t *testing.T) {
+		u := buildUrl(options)
+		_, err := url.Parse(u)
+		if err != nil {
+			t.Errorf("Failed to parse url: %s", err)
+		}
+	})
+	t.Run("with octohorpe in password", func(t *testing.T) {
+		options.Password = "passwordwith#inside"
+		u := buildUrl(options)
+		_, err := url.Parse(u)
+		if err != nil {
+			t.Errorf("Failed to parse url: %s", err)
+		}
+	})
+}