fix: prevent SMTP URL leak on unparsable URL (#3770)

ory · Feb 21, 2024 · c5f39f4 · c5f39f4
1 parent b8b747b
commit c5f39f4
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/courier/smtp.go b/courier/smtp.go
@@ -12,6 +12,8 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/pkg/errors"
+
 	"github.com/ory/herodot"
 	"github.com/ory/kratos/driver/config"
 
@@ -27,7 +29,7 @@ type SMTPClient struct {
 func NewSMTPClient(deps Dependencies, cfg *config.SMTPConfig) (*SMTPClient, error) {
 	uri, err := url.Parse(cfg.ConnectionURI)
 	if err != nil {
-		return nil, herodot.ErrInternalServerError.WithError(err.Error())
+		return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The SMTP connection URI is malformed. Please contact a system administrator."))
 	}
 
 	var tlsCertificates []tls.Certificate

diff --git a/courier/smtp_test.go b/courier/smtp_test.go
@@ -35,6 +35,23 @@ import (
 	gomail "github.com/ory/mail/v3"
 )
 
+func TestNewSMTPClientPreventLeak(t *testing.T) {
+	// Test for https://hackerone.com/reports/2384028
+
+	ctx := context.Background()
+	conf, reg := internal.NewFastRegistryWithMocks(t)
+
+	invalidURL := "sm<>t>p://f%oo::bar:baz@my-server:1234:122/"
+	conf.MustSet(ctx, config.ViperKeyCourierSMTPURL, invalidURL)
+	channels, err := conf.CourierChannels(ctx)
+	require.NoError(t, err)
+	require.Len(t, channels, 1)
+
+	_, err = courier.NewSMTPClient(reg, channels[0].SMTPConfig)
+	require.Error(t, err)
+	assert.NotContains(t, err.Error(), invalidURL)
+}
+
 func TestNewSMTP(t *testing.T) {
 	ctx := context.Background()
 	conf, reg := internal.NewFastRegistryWithMocks(t)