node_modules: update (#246)

Co-authored-by: dawidd6 <9713907+dawidd6@users.noreply.github.com>
2025-12-27 16:10:17 +07:00 · 2025-12-25 10:58:28 +01:00
parent de27f3a58b
commit 6e71c855c9
125 changed files with 6609 additions and 655 deletions
--- a/node_modules/nodemailer/lib/mail-composer/index.js
+++ b/node_modules/nodemailer/lib/mail-composer/index.js
@@ -91,19 +91,22 @@ class MailComposer {
                attachment = this._processDataUrl(attachment);
            }

-            let contentType = attachment.contentType || mimeFuncs.detectMimeType(attachment.filename || attachment.path || attachment.href || 'bin');
+            let contentType =
+                attachment.contentType || mimeFuncs.detectMimeType(attachment.filename || attachment.path || attachment.href || 'bin');

            let isImage = /^image\//i.test(contentType);
            let isMessageNode = /^message\//i.test(contentType);

-            let contentDisposition = attachment.contentDisposition || (isMessageNode || (isImage && attachment.cid) ? 'inline' : 'attachment');
+            let contentDisposition =
+                attachment.contentDisposition || (isMessageNode || (isImage && attachment.cid) ? 'inline' : 'attachment');

            let contentTransferEncoding;
            if ('contentTransferEncoding' in attachment) {
                // also contains `false`, to set
                contentTransferEncoding = attachment.contentTransferEncoding;
            } else if (isMessageNode) {
-                contentTransferEncoding = '7bit';
+                // the content might include non-ASCII bytes but at this point we do not know it yet
+                contentTransferEncoding = '8bit';
            } else {
                contentTransferEncoding = 'base64'; // the default
            }
@@ -212,7 +215,10 @@ class MailComposer {
            eventObject;

        if (this.mail.text) {
-            if (typeof this.mail.text === 'object' && (this.mail.text.content || this.mail.text.path || this.mail.text.href || this.mail.text.raw)) {
+            if (
+                typeof this.mail.text === 'object' &&
+                (this.mail.text.content || this.mail.text.path || this.mail.text.href || this.mail.text.raw)
+            ) {
                text = this.mail.text;
            } else {
                text = {
@@ -237,7 +243,10 @@ class MailComposer {
        }

        if (this.mail.amp) {
-            if (typeof this.mail.amp === 'object' && (this.mail.amp.content || this.mail.amp.path || this.mail.amp.href || this.mail.amp.raw)) {
+            if (
+                typeof this.mail.amp === 'object' &&
+                (this.mail.amp.content || this.mail.amp.path || this.mail.amp.href || this.mail.amp.raw)
+            ) {
                amp = this.mail.amp;
            } else {
                amp = {
@@ -272,14 +281,18 @@ class MailComposer {
            }

            eventObject.filename = false;
-            eventObject.contentType = 'text/calendar; charset=utf-8; method=' + (eventObject.method || 'PUBLISH').toString().trim().toUpperCase();
+            eventObject.contentType =
+                'text/calendar; charset=utf-8; method=' + (eventObject.method || 'PUBLISH').toString().trim().toUpperCase();
            if (!eventObject.headers) {
                eventObject.headers = {};
            }
        }

        if (this.mail.html) {
-            if (typeof this.mail.html === 'object' && (this.mail.html.content || this.mail.html.path || this.mail.html.href || this.mail.html.raw)) {
+            if (
+                typeof this.mail.html === 'object' &&
+                (this.mail.html.content || this.mail.html.path || this.mail.html.href || this.mail.html.raw)
+            ) {
                html = this.mail.html;
            } else {
                html = {
@@ -304,7 +317,9 @@ class MailComposer {
                }

                data = {
-                    contentType: alternative.contentType || mimeFuncs.detectMimeType(alternative.filename || alternative.path || alternative.href || 'txt'),
+                    contentType:
+                        alternative.contentType ||
+                        mimeFuncs.detectMimeType(alternative.filename || alternative.path || alternative.href || 'txt'),
                    contentTransferEncoding: alternative.contentTransferEncoding
                };

@@ -550,9 +565,46 @@ class MailComposer {
     * @return {Object} Parsed element
     */
    _processDataUrl(element) {
+        const dataUrl = element.path || element.href;
+
+        // Early validation to prevent ReDoS
+        if (!dataUrl || typeof dataUrl !== 'string') {
+            return element;
+        }
+
+        if (!dataUrl.startsWith('data:')) {
+            return element;
+        }
+
+        if (dataUrl.length > 52428800) {
+            // 52428800 chars = 50MB limit for data URL string (~37.5MB decoded image)
+            // Extract content type before rejecting to preserve MIME type
+            let detectedType = 'application/octet-stream';
+            const commaPos = dataUrl.indexOf(',');
+
+            if (commaPos > 0 && commaPos < 200) {
+                // Parse header safely with size limit
+                const header = dataUrl.substring(5, commaPos); // skip 'data:'
+                const parts = header.split(';');
+                if (parts[0] && parts[0].includes('/')) {
+                    detectedType = parts[0].trim();
+                }
+            }
+
+            // Return empty content for excessively long data URLs
+            return Object.assign({}, element, {
+                path: false,
+                href: false,
+                content: Buffer.alloc(0),
+                contentType: element.contentType || detectedType
+            });
+        }
+
        let parsedDataUri;
-        if ((element.path || element.href).match(/^data:/)) {
-            parsedDataUri = parseDataURI(element.path || element.href);
+        try {
+            parsedDataUri = parseDataURI(dataUrl);
+        } catch (_err) {
+            return element;
        }

        if (!parsedDataUri) {