fix(addressparser): Fixed addressparser handling of quoted nested email addresses

Author: andris9

lib/addressparser/index.js

@@ -15,10 +15,12 @@ function _handleAddress(tokens) {
         address: [],
         comment: [],
         group: [],
-        text: []
+        text: [],
+        textWasQuoted: [] // Track which text tokens came from inside quotes
     };
     let i;
     let len;
+    let insideQuotes = false; // Track if we're currently inside a quoted string
 
     // Filter out <addresses>, (comments) and regular text
     for (i = 0, len = tokens.length; i < len; i++) {
@@ -28,16 +30,25 @@ function _handleAddress(tokens) {
             switch (token.value) {
                 case '<':
                     state = 'address';
+                    insideQuotes = false;
                     break;
                 case '(':
                     state = 'comment';
+                    insideQuotes = false;
                     break;
                 case ':':
                     state = 'group';
                     isGroup = true;
+                    insideQuotes = false;
+                    break;
+                case '"':
+                    // Track quote state for text tokens
+                    insideQuotes = !insideQuotes;
+                    state = 'text';
                     break;
                 default:
                     state = 'text';
+                    insideQuotes = false;
                     break;
             }
         } else if (token.value) {
@@ -51,8 +62,14 @@ function _handleAddress(tokens) {
             if (prevToken && prevToken.noBreak && data[state].length) {
                 // join values
                 data[state][data[state].length - 1] += token.value;
+                if (state === 'text' && insideQuotes) {
+                    data.textWasQuoted[data.textWasQuoted.length - 1] = true;
+                }
             } else {
                 data[state].push(token.value);
+                if (state === 'text') {
+                    data.textWasQuoted.push(insideQuotes);
+                }
             }
         }
     }
@@ -74,8 +91,12 @@ function _handleAddress(tokens) {
         // If no address was found, try to detect one from regular text
         if (!data.address.length && data.text.length) {
             for (i = data.text.length - 1; i >= 0; i--) {
-                if (data.text[i].match(/^[^@\s]+@[^@\s]+$/)) {
+                // Security fix: Do not extract email addresses from quoted strings
+                // RFC 5321 allows @ inside quoted local-parts like "user@domain"@example.com
+                // Extracting emails from quoted text leads to misrouting vulnerabilities
+                if (!data.textWasQuoted[i] && data.text[i].match(/^[^@\s]+@[^@\s]+$/)) {
                     data.address = data.text.splice(i, 1);
+                    data.textWasQuoted.splice(i, 1);
                     break;
                 }
             }
@@ -92,10 +113,13 @@ function _handleAddress(tokens) {
             // still no address
             if (!data.address.length) {
                 for (i = data.text.length - 1; i >= 0; i--) {
-                    // fixed the regex to parse email address correctly when email address has more than one @
-                    data.text[i] = data.text[i].replace(/\s*\b[^@\s]+@[^\s]+\b\s*/, _regexHandler).trim();
-                    if (data.address.length) {
-                        break;
+                    // Security fix: Do not extract email addresses from quoted strings
+                    if (!data.textWasQuoted[i]) {
+                        // fixed the regex to parse email address correctly when email address has more than one @
+                        data.text[i] = data.text[i].replace(/\s*\b[^@\s]+@[^\s]+\b\s*/, _regexHandler).trim();
+                        if (data.address.length) {
+                            break;
+                        }
                     }
                 }
             }

test/addressparser/addressparser-test.js

@@ -309,4 +309,40 @@ describe('#addressparser', () => {
         ];
         assert.deepStrictEqual(addressparser(input), expected);
     });
+
+    // Security tests for RFC 5321/5322 quoted local-part handling
+    it('should not extract email from quoted local-part (security)', () => {
+        let input = '"[email protected] x"@internal.domain';
+        let result = addressparser(input);
+        // Should preserve full address, NOT extract [email protected]
+        assert.strictEqual(result.length, 1);
+        assert.strictEqual(result[0].address.includes('@internal.domain'), true);
+        assert.strictEqual(result[0].address, '[email protected] [email protected]');
+    });
+
+    it('should handle quoted local-part with attacker domain (security)', () => {
+        let input = '"[email protected]"@legitimate.com';
+        let result = addressparser(input);
+        // Should route to legitimate.com, not attacker.com
+        assert.strictEqual(result.length, 1);
+        assert.strictEqual(result[0].address.includes('@legitimate.com'), true);
+        assert.strictEqual(result[0].address, '[email protected]@legitimate.com');
+    });
+
+    it('should handle multiple @ in quoted local-part (security)', () => {
+        let input = '"a@b@c"@example.com';
+        let result = addressparser(input);
+        // Should not extract a@b or b@c
+        assert.strictEqual(result.length, 1);
+        assert.strictEqual(result[0].address, 'a@b@[email protected]');
+    });
+
+    it('should handle quoted local-part with angle brackets', () => {
+        let input = 'Name <"[email protected]"@example.com>';
+        let result = addressparser(input);
+        assert.strictEqual(result.length, 1);
+        assert.strictEqual(result[0].name, 'Name');
+        // When address is in <>, quotes are preserved as part of the address
+        assert.strictEqual(result[0].address, '"[email protected]"@example.com');
+    });
 });