🔒 Fixed remote command injection when using sendmail email transport

daniellockyer · daniellockyer · commit 93e4b2eafd18 · 2021-09-17T16:46:51.000+01:00
refs GHSA-wfrj-qqc2-83cm refs GHSA-48ww-j4fc-435p - a vulnerability in `nodemailer` means that the `sendmail` transport is vulnerable to command injection for flags passed to the `sendmail` binary - updating to the latest version of Nodemailer required creating `@tryghost/nodemailer`, which is a wrapper around Nodemailer and several plugins that used to be in the core - this commit switches to using that package, and fixes up some small code + test changes
diff --git a/core/server/services/mail/GhostMailer.js b/core/server/services/mail/GhostMailer.js
@@ -67,15 +67,18 @@ function createMailError({message, err, ignoreDefaultMessage} = {message: ''}) {
 
 module.exports = class GhostMailer {
     constructor() {
-        const nodemailer = require('nodemailer');
-        const transport = config.get('mail') && config.get('mail').transport || 'direct';
+        const nodemailer = require('@tryghost/nodemailer');
+
+        let transport = config.get('mail') && config.get('mail').transport || 'direct';
+        transport = transport.toLowerCase();
+
         // nodemailer mutates the options passed to createTransport
         const options = config.get('mail') && _.clone(config.get('mail').options) || {};
 
         this.state = {
             usingDirect: transport === 'direct'
         };
-        this.transport = nodemailer.createTransport(transport, options);
+        this.transport = nodemailer(transport, options);
     }
 
     /**
@@ -102,52 +105,42 @@ module.exports = class GhostMailer {
 
         const response = await this.sendMail(messageToSend);
 
-        if (this.transport.transportType === 'DIRECT') {
+        if (this.state.usingDirect) {
             return this.handleDirectTransportResponse(response);
         }
 
         return response;
     }
 
-    sendMail(message) {
-        return new Promise((resolve, reject) => {
-            this.transport.sendMail(message, (err, response) => {
-                if (err) {
-                    reject(createMailError({
-                        message: i18n.t('errors.mail.reason', {reason: err.message || err}),
-                        err
-                    }));
-                }
-                resolve(response);
+    async sendMail(message) {
+        try {
+            const response = await this.transport.sendMail(message);
+            return response;
+        } catch (err) {
+            throw createMailError({
+                message: i18n.t('errors.mail.reason', {reason: err.message || err}),
+                err
             });
-        });
+        }
     }
 
     handleDirectTransportResponse(response) {
-        return new Promise((resolve, reject) => {
-            response.statusHandler.once('failed', function (data) {
-                if (data.error && data.error.code === 'ENOTFOUND') {
-                    reject(createMailError({
-                        message: i18n.t('errors.mail.noMailServerAtAddress.error', {domain: data.domain})
-                    }));
-                }
-
-                reject(createMailError());
-            });
-
-            response.statusHandler.once('requeue', function (data) {
-                if (data.error && data.error.message) {
-                    reject(createMailError({
-                        message: i18n.t('errors.mail.reason', {reason: data.error.message})
-                    }));
-                }
+        if (!response) {
+            return i18n.t('notices.mail.messageSent');
+        }
 
-                reject(createMailError());
+        if (response.pending.length > 0) {
+            throw createMailError({
+                message: i18n.t('errors.mail.reason', {reason: 'Email has been temporarily rejected'})
             });
+        }
 
-            response.statusHandler.once('sent', function () {
-                resolve(i18n.t('notices.mail.messageSent'));
+        if (response.errors.length > 0) {
+            throw createMailError({
+                message: i18n.t('errors.mail.reason', {reason: response.errors[0].message})
             });
-        });
+        }
+
+        return i18n.t('notices.mail.messageSent');
     }
 };
diff --git a/package.json b/package.json
@@ -79,6 +79,7 @@
     "@tryghost/members-importer": "0.3.2",
     "@tryghost/members-ssr": "1.0.12",
     "@tryghost/mw-session-from-token": "0.1.22",
+    "@tryghost/nodemailer": "0.3.1",
     "@tryghost/package-json": "1.0.2",
     "@tryghost/promise": "0.1.9",
     "@tryghost/request": "0.1.5",
@@ -148,7 +149,6 @@
     "mysql": "2.18.1",
     "nconf": "0.11.3",
     "node-jose": "2.0.0",
-    "nodemailer": "0.7.1",
     "oembed-parser": "1.4.8",
     "passport": "0.4.1",
     "passport-google-oauth": "2.0.0",
diff --git a/renovate.json b/renovate.json
@@ -11,7 +11,6 @@
       "intl-messageformat",
       "moment",
       "moment-timezone",
-      "nodemailer",
       "simple-dom"
     ],
   "ignorePaths": ["test"],
diff --git a/test/unit/services/mail/GhostMailer.test.js b/test/unit/services/mail/GhostMailer.test.js
@@ -61,7 +61,7 @@ describe('Mail: Ghostmailer', function () {
         mailer = new mail.GhostMailer();
 
         mailer.should.have.property('transport');
-        mailer.transport.transportType.should.eql('SMTP');
+        mailer.transport.transporter.name.should.eql('SMTP');
         mailer.transport.sendMail.should.be.a.Function();
     });
 
@@ -71,18 +71,18 @@ describe('Mail: Ghostmailer', function () {
         mailer = new mail.GhostMailer();
 
         mailer.should.have.property('transport');
-        mailer.transport.transportType.should.eql('DIRECT');
+        mailer.transport.transporter.name.should.eql('SMTP (direct)');
     });
 
     it('sends valid message successfully ', function (done) {
         configUtils.set({mail: {transport: 'stub'}});
 
         mailer = new mail.GhostMailer();
 
-        mailer.transport.transportType.should.eql('STUB');
+        mailer.transport.transporter.name.should.eql('Stub');
 
         mailer.send(mailDataNoServer).then(function (response) {
-            should.exist(response.message);
+            should.exist(response.response);
             should.exist(response.envelope);
             response.envelope.to.should.containEql('joe@example.com');
 
@@ -95,7 +95,7 @@ describe('Mail: Ghostmailer', function () {
 
         mailer = new mail.GhostMailer();
 
-        mailer.transport.transportType.should.eql('STUB');
+        mailer.transport.transporter.name.should.eql('Stub');
 
         mailer.send(mailDataNoServer).then(function () {
             done(new Error('Stub did not error'));
@@ -125,7 +125,7 @@ describe('Mail: Ghostmailer', function () {
         });
 
         it('return correct failure message for domain doesn\'t exist', function (done) {
-            mailer.transport.transportType.should.eql('DIRECT');
+            mailer.transport.transporter.name.should.eql('SMTP (direct)');
 
             mailer.send(mailDataNoDomain).then(function () {
                 done(new Error('Error message not shown.'));
@@ -136,7 +136,7 @@ describe('Mail: Ghostmailer', function () {
         });
 
         it('return correct failure message for no mail server at this address', function (done) {
-            mailer.transport.transportType.should.eql('DIRECT');
+            mailer.transport.transporter.name.should.eql('SMTP (direct)');
 
             mailer.send(mailDataNoServer).then(function () {
                 done(new Error('Error message not shown.'));
@@ -147,7 +147,7 @@ describe('Mail: Ghostmailer', function () {
         });
 
         it('return correct failure message for incomplete data', function (done) {
-            mailer.transport.transportType.should.eql('DIRECT');
+            mailer.transport.transporter.name.should.eql('SMTP (direct)');
 
             mailer.send(mailDataIncomplete).then(function () {
                 done(new Error('Error message not shown.'));
@@ -169,7 +169,7 @@ describe('Mail: Ghostmailer', function () {
             mailer = new mail.GhostMailer();
 
             sandbox.stub(mailer, 'sendMail').resolves();
-            mailer.transport.transportType = 'NOT DIRECT';
+            mailer.transport.transporter.name = 'NOT DIRECT';
 
             await mailer.send({
                 to: 'user@example.com',
@@ -184,7 +184,7 @@ describe('Mail: Ghostmailer', function () {
             beforeEach(async function () {
                 mailer = new mail.GhostMailer();
                 sandbox.stub(mailer, 'sendMail').resolves();
-                mailer.transport.transportType = 'NOT DIRECT';
+                mailer.transport.transporter.name = 'NOT DIRECT';
                 sandbox.stub(settingsCache, 'get').returns('Test');
             });
 
@@ -251,7 +251,7 @@ describe('Mail: Ghostmailer', function () {
             mailer = new mail.GhostMailer();
 
             sandbox.stub(mailer, 'sendMail').resolves();
-            mailer.transport.transportType = 'NOT DIRECT';
+            mailer.transport.transporter.name = 'NOT DIRECT';
 
             await mailer.send({
                 to: 'user@example.com',
@@ -270,7 +270,7 @@ describe('Mail: Ghostmailer', function () {
             mailer = new mail.GhostMailer();
 
             sandbox.stub(mailer, 'sendMail').resolves();
-            mailer.transport.transportType = 'NOT DIRECT';
+            mailer.transport.transporter.name = 'NOT DIRECT';
 
             await mailer.send({
                 to: 'user@example.com',
@@ -298,7 +298,7 @@ describe('Mail: Ghostmailer', function () {
             mailer = new mail.GhostMailer();
 
             sandbox.stub(mailer, 'sendMail').resolves();
-            mailer.transport.transportType = 'NOT DIRECT';
+            mailer.transport.transporter.name = 'NOT DIRECT';
 
             await mailer.send({
                 to: 'user@example.com',
@@ -326,7 +326,7 @@ describe('Mail: Ghostmailer', function () {
             mailer = new mail.GhostMailer();
 
             sandbox.stub(mailer, 'sendMail').resolves();
-            mailer.transport.transportType = 'NOT DIRECT';
+            mailer.transport.transporter.name = 'NOT DIRECT';
 
             await mailer.send({
                 to: 'user@example.com',
diff --git a/test/unit/services/mail/utils.test.js b/test/unit/services/mail/utils.test.js
@@ -1,28 +1,19 @@
 const should = require('should');
 const sinon = require('sinon');
 const mail = require('../../../../core/server/services/mail');
+const configUtils = require('../../../utils/configUtils');
 
 describe('Mail: Utils', function () {
     const scope = {ghostMailer: null};
 
     beforeEach(function () {
+        configUtils.set({mail: {transport: 'stub'}});
         scope.ghostMailer = new mail.GhostMailer();
-
-        sinon.stub(scope.ghostMailer.transport, 'sendMail').callsFake(function (message, sendMailDone) {
-            sendMailDone(null, {
-                statusHandler: {
-                    once: function (eventName, eventDone) {
-                        if (eventName === 'sent') {
-                            eventDone();
-                        }
-                    }
-                }
-            });
-        });
     });
 
     afterEach(function () {
         sinon.restore();
+        configUtils.restore();
     });
 
     it('generate welcome', function (done) {
diff --git a/yarn.lock b/yarn.lock
