Fix: enforce ASCII-only domain labels in .ascii compatibility mode

ekscrypto · claude · ekscrypto · commit 4f1a1e3ace75 · 2026-04-09T19:45:41.000-04:00
In .ascii mode the entire email address must be ASCII — the local-part
check already enforced this, but the domain label character set was
not gated by compatibility, silently accepting Unicode U-labels such
as 例え or 한국 even when the caller expected a fully ASCII address.

Added asciiDomainLabelCharacterSet (strict LDH: A-Z, a-z, 0-9, hyphen)
and threaded extractionCompatibility through the private mailbox and
extractHost helpers so that the appropriate set is selected per mode:

  .ascii               → LDH only (Punycode xn--… passes naturally)
  .unicode /
  .asciiWithUnicodeExtension → existing domainLabelCharacterSet
                               (Unicode U-labels allowed per RFC 5891)

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/Sources/SwiftEmailValidator/EmailSyntaxValidator.swift b/Sources/SwiftEmailValidator/EmailSyntaxValidator.swift
@@ -165,15 +165,17 @@ public final class EmailSyntaxValidator {
                 localPart: .dotAtom(dotAtom),
                 originalCandidate: candidate,
                 hostCandidate: String(smtpCandidate.dropFirst(dotAtom.count + 1)),
+                compatibility: extractionCompatibility,
                 allowAddressLiteral: allowAddressLiteral,
                 domainValidator: domainValidator)
         }
-        
+
         if let quotedString = extractQuotedString(smtpCandidate, compatibility: extractionCompatibility) {
             return mailbox(
                 localPart: .quotedString(String(quotedString.cleaned)),
                 originalCandidate: candidate,
                 hostCandidate: String(smtpCandidate.dropFirst(quotedString.integral.count + 1)),
+                compatibility: extractionCompatibility,
                 allowAddressLiteral: allowAddressLiteral,
                 domainValidator: domainValidator)
         }
@@ -215,19 +217,19 @@ public final class EmailSyntaxValidator {
         return RFC2047Coder.encode(candidate)
     }
     
-    private static func mailbox(localPart: Mailbox.LocalPart, originalCandidate: String, hostCandidate: String, allowAddressLiteral: Bool, domainValidator: (String) -> Bool) -> Mailbox? {
-        
-        guard let host = extractHost(from: hostCandidate, allowAddressLiteral: allowAddressLiteral, domainValidator: domainValidator) else {
+    private static func mailbox(localPart: Mailbox.LocalPart, originalCandidate: String, hostCandidate: String, compatibility: Compatibility, allowAddressLiteral: Bool, domainValidator: (String) -> Bool) -> Mailbox? {
+
+        guard let host = extractHost(from: hostCandidate, compatibility: compatibility, allowAddressLiteral: allowAddressLiteral, domainValidator: domainValidator) else {
             return nil
         }
-        
+
         return Mailbox(
             email: originalCandidate,
             localPart: localPart,
             host: host)
     }
-    
-    private static func extractHost(from candidate: String, allowAddressLiteral: Bool, domainValidator: (String) -> Bool) -> Mailbox.Host? {
+
+    private static func extractHost(from candidate: String, compatibility: Compatibility, allowAddressLiteral: Bool, domainValidator: (String) -> Bool) -> Mailbox.Host? {
 
         if candidate.hasPrefix("[") {
             return extractHostLiteral(from: candidate, allowAddressLiteral: allowAddressLiteral)
@@ -239,6 +241,11 @@ public final class EmailSyntaxValidator {
         // RFC 1035: total domain must be ≤253 octets
         guard candidate.utf8.count <= 253 else { return nil }
 
+        // In .ascii mode use the strict LDH-only set (A-Z, a-z, 0-9, hyphen).
+        // Punycode ACE labels (xn--…) are naturally LDH and pass without special handling.
+        // In .unicode / .asciiWithUnicodeExtension modes allow Unicode U-labels per RFC 5891.
+        let labelCharacterSet = compatibility == .ascii ? asciiDomainLabelCharacterSet : domainLabelCharacterSet
+
         // Split without omitting empty subsequences so that consecutive dots (empty labels),
         // leading dots, and trailing dots are all caught by the per-label checks below.
         let labels = candidate.split(separator: ".", omittingEmptySubsequences: false)
@@ -248,7 +255,7 @@ public final class EmailSyntaxValidator {
                 && s.utf8.count <= 63    // RFC 1035: each label ≤63 octets
                 && !s.hasPrefix("-")     // RFC 1123: no leading hyphen
                 && !s.hasSuffix("-")     // RFC 1123: no trailing hyphen
-                && s.unicodeScalars.allSatisfy({ domainLabelCharacterSet.contains($0) })
+                && s.unicodeScalars.allSatisfy({ labelCharacterSet.contains($0) })
         }) else {
             return nil
         }
@@ -345,6 +352,13 @@ public final class EmailSyntaxValidator {
     private static let domainLabelCharacterSet: CharacterSet = CharacterSet.letters
         .union(CharacterSet(charactersIn: "0123456789-"))
 
+    // Strict ASCII LDH set used when compatibility == .ascii.
+    // Punycode ACE labels (xn--…) are naturally LDH and pass this check without special handling.
+    private static let asciiDomainLabelCharacterSet: CharacterSet = CharacterSet(charactersIn: alphaLowerRange)
+        .union(CharacterSet(charactersIn: alphaUpperRange))
+        .union(CharacterSet(charactersIn: digitRange))
+        .union(CharacterSet(charactersIn: "-"))
+
     private static let quotedPairSMTP: ClosedRange<Unicode.Scalar> = Unicode.Scalar(0x20)!...Unicode.Scalar(0x7E)!
     private static let qtextSMTP1: ClosedRange<Unicode.Scalar> = Unicode.Scalar(0x20)!...Unicode.Scalar(0x21)!
     private static let qtextSMTP2: ClosedRange<Unicode.Scalar> = Unicode.Scalar(0x23)!...Unicode.Scalar(0x5B)!
diff --git a/Tests/SwiftEmailValidatorTests/EmailSyntaxValidatorTests.swift b/Tests/SwiftEmailValidatorTests/EmailSyntaxValidatorTests.swift
@@ -140,6 +140,30 @@ final class EmailSyntaxValidatorTests: XCTestCase {
         XCTAssertNil(EmailSyntaxValidator.mailbox(from: "한@x.한국", compatibility: .ascii), "Unicode in email addresses should not be allowed in ASCII compatibility mode")
         XCTAssertNil(EmailSyntaxValidator.mailbox(from: "\"한\"@x.한국", compatibility: .ascii), "Unicode in email addresses should not be allowed in ASCII compatibility mode")
     }
+
+    func testAsciiRejectsUnicodeDomain() {
+        // In .ascii mode the domain must also be ASCII-only (LDH labels or Punycode).
+        // A Unicode U-label like 例え or 한국 must be rejected even when the local part is ASCII.
+        let permissive: (String) -> Bool = { _ in true }
+        XCTAssertNil(
+            EmailSyntaxValidator.mailbox(from: "user@例え.jp", compatibility: .ascii, domainValidator: permissive),
+            "Unicode domain label must be rejected in .ascii mode"
+        )
+        XCTAssertNil(
+            EmailSyntaxValidator.mailbox(from: "user@x.한국", compatibility: .ascii, domainValidator: permissive),
+            "Unicode TLD must be rejected in .ascii mode"
+        )
+        // Punycode ACE form is LDH and must be accepted
+        XCTAssertNotNil(
+            EmailSyntaxValidator.mailbox(from: "user@xn--eckwd4c7c.jp", compatibility: .ascii, domainValidator: permissive),
+            "Punycode ACE label must be accepted in .ascii mode (it is LDH)"
+        )
+        // Unicode domain must still be accepted in .unicode mode
+        XCTAssertNotNil(
+            EmailSyntaxValidator.mailbox(from: "user@例え.jp", compatibility: .unicode, domainValidator: permissive),
+            "Unicode domain label must be accepted in .unicode mode"
+        )
+    }
     
     func testUnicodeCompatibility() {
         XCTAssertEqual(EmailSyntaxValidator.mailbox(from: "한@x.한국", compatibility: .unicode)?.localPart, .dotAtom("한"), "Unicode email addresses should be allowed in Unicode compatibility")
