Security: fix noncharacters, U+2065 gap, C1 Q-decode, escaped clusters, planes 4-13

- Reject Unicode noncharacters U+FDD0–U+FDEF, U+FFFE, U+FFFF (Unicode §23.7)
- Close U+2065 gap between invisible format chars and bidi formatting chars
- RFC2047 Q-decode: reject C1 control bytes 0x80–0x9F (not just DEL)
- Quoted-string escaped position: require single-scalar ASCII cluster (RFC 5321)
- Reject supplementary planes 4–13 (U+40000–U+DFFFF, entirely unassigned)
- 122 tests, 0 failures

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: ekscrypto

Sources/SwiftEmailValidator/EmailSyntaxValidator.swift

@@ -308,12 +308,18 @@ public final class EmailSyntaxValidator {
         .union(CharacterSet(charactersIn: Unicode.Scalar(0x2066)!...Unicode.Scalar(0x2069)!)) // LRI, RLI, FSI, PDI
     private static let deprecatedFormatChars: CharacterSet = CharacterSet(charactersIn: Unicode.Scalar(0x206A)!...Unicode.Scalar(0x206F)!) // Deprecated formatting
     private static let bmpPrivateUseChars: CharacterSet = CharacterSet(charactersIn: Unicode.Scalar(0xE000)!...Unicode.Scalar(0xF8FF)!) // BMP Private Use Area
+    // Unicode permanently-reserved noncharacters — §23.7: "forbidden for use in open interchange."
+    // U+FDD0–U+FDEF fall in nonAsciiBmpHigh (above bmpPrivateUseChars) and would survive all
+    // other subtractions without this explicit exclusion.
+    private static let unicodeNonCharacters: CharacterSet =
+        CharacterSet(charactersIn: Unicode.Scalar(0xFDD0)!...Unicode.Scalar(0xFDEF)!) // U+FDD0–U+FDEF permanently reserved noncharacters
+        .union(CharacterSet(charactersIn: Unicode.Scalar(0xFFFE)!...Unicode.Scalar(0xFFFF)!)) // U+FFFE, U+FFFF BMP noncharacters
     // Invisible and zero-width format characters that produce no visible glyph.
     // Allowing them enables creating visually-identical but distinct email addresses (spoofing).
     private static let zeroWidthAndInvisibleChars: CharacterSet =
         CharacterSet(charactersIn: Unicode.Scalar(0x00AD)!...Unicode.Scalar(0x00AD)!) // U+00AD Soft Hyphen
         .union(CharacterSet(charactersIn: Unicode.Scalar(0x200B)!...Unicode.Scalar(0x200D)!)) // U+200B ZWS, U+200C ZWNJ, U+200D ZWJ
-        .union(CharacterSet(charactersIn: Unicode.Scalar(0x2060)!...Unicode.Scalar(0x2064)!)) // U+2060 Word Joiner, U+2061-U+2064 invisible math operators
+        .union(CharacterSet(charactersIn: Unicode.Scalar(0x2060)!...Unicode.Scalar(0x2065)!)) // U+2060 Word Joiner, U+2061-U+2064 invisible math operators, U+2065 reserved
         .union(CharacterSet(charactersIn: Unicode.Scalar(0xFEFF)!...Unicode.Scalar(0xFEFF)!)) // U+FEFF BOM / Zero Width No-Break Space
         .union(CharacterSet(charactersIn: Unicode.Scalar(0x2028)!...Unicode.Scalar(0x2029)!)) // U+2028 Line Separator, U+2029 Paragraph Separator
         .union(CharacterSet(charactersIn: Unicode.Scalar(0xFE00)!...Unicode.Scalar(0xFE0F)!)) // U+FE00-U+FE0F Variation Selectors (invisible combiners, spoofing)
@@ -350,6 +356,7 @@ public final class EmailSyntaxValidator {
         .subtracting(deprecatedFormatChars) // Exclude deprecated format characters
         .subtracting(bmpPrivateUseChars) // Exclude BMP Private Use Area (U+E000-U+F8FF)
         .subtracting(zeroWidthAndInvisibleChars) // Exclude invisible format characters (spoofing prevention)
+        .subtracting(unicodeNonCharacters) // Exclude permanently-reserved Unicode noncharacters (§23.7)
         .union(supplementaryPlanes) // Supplementary planes (emoji, etc.) - MUST BE LAST (after subtractions)
 
     // RFC 952/1123: domain labels are LDH (letters, digits, hyphens); Unicode letters are
@@ -380,6 +387,7 @@ public final class EmailSyntaxValidator {
         .subtracting(deprecatedFormatChars) // Exclude deprecated format characters
         .subtracting(bmpPrivateUseChars) // Exclude BMP Private Use Area (U+E000-U+F8FF)
         .subtracting(zeroWidthAndInvisibleChars) // Exclude invisible format characters (spoofing prevention)
+        .subtracting(unicodeNonCharacters) // Exclude permanently-reserved Unicode noncharacters (§23.7)
         .union(supplementaryPlanes) // Supplementary planes (emoji, etc.) - MUST BE LAST (after subtractions)
 
     private static func extractDotAtom(_ candidate: String, compatibility: Compatibility) -> String? {
@@ -404,10 +412,12 @@ public final class EmailSyntaxValidator {
                       // Reject supplementary-plane ranges excluded from allowedCharacterSet via
                       // explicit scalar guards (Foundation CharacterSet.contains() is reliable for
                       // individual scalars, but belt-and-suspenders for these security-sensitive ranges):
+                      // U+40000-U+DFFFF: Planes 4-13 (entirely unassigned in Unicode)
                       // U+E0000-U+EFFFF: entire SSP (Tags block, unassigned gaps, VS Supplement)
                       // U+F0000-U+10FFFF: Supplementary PUA-A/B
                       && !label.unicodeScalars.contains(where: {
-                          ($0.value >= 0xE0000 && $0.value <= 0x10FFFF) // Entire SSP + PUA-A/B
+                          ($0.value >= 0x40000 && $0.value <= 0xDFFFF)   // Planes 4-13 (entirely unassigned)
+                          || ($0.value >= 0xE0000 && $0.value <= 0x10FFFF) // Entire SSP + PUA-A/B
                       })
               })
         else {
@@ -449,10 +459,13 @@ public final class EmailSyntaxValidator {
             guard !character.unicodeScalars.contains(where: { s in
                 s.value == 0x00AD ||                            // U+00AD Soft Hyphen
                 (s.value >= 0x200B && s.value <= 0x200D) ||     // U+200B-U+200D ZWS/ZWNJ/ZWJ
-                (s.value >= 0x2060 && s.value <= 0x2064) ||     // U+2060-U+2064 invisible format chars
+                (s.value >= 0x2060 && s.value <= 0x2065) ||     // U+2060-U+2065 invisible/reserved format chars
                 s.value == 0xFEFF ||                            // U+FEFF BOM
                 (s.value >= 0xFE00 && s.value <= 0xFE0F) ||     // U+FE00-U+FE0F Variation Selectors
                 (s.value == 0x2028 || s.value == 0x2029) ||     // U+2028 Line Sep, U+2029 Para Sep
+                (s.value >= 0xFDD0 && s.value <= 0xFDEF) ||     // U+FDD0-U+FDEF Unicode noncharacters
+                (s.value == 0xFFFE || s.value == 0xFFFF) ||     // U+FFFE/U+FFFF BMP noncharacters
+                (s.value >= 0x40000 && s.value <= 0xDFFFF) ||   // Planes 4-13 (entirely unassigned)
                 (s.value >= 0xE0000 && s.value <= 0x10FFFF)     // Entire SSP (Tags, unassigned gaps, VS Sup) + PUA-A/B
             }) else {
                 return nil
@@ -470,7 +483,11 @@ public final class EmailSyntaxValidator {
 
             if escaped {
                 cleanedText.append(character)
-                guard quotedPairSMTP.contains(characterScalar) else {
+                // RFC 5321: quoted-pair = "\" (VCHAR / WSP) — exactly one printable ASCII scalar.
+                // A multi-scalar grapheme cluster (e.g. e + U+0301 combining acute) would have its
+                // first scalar pass quotedPairSMTP while the additional scalars go unchecked.
+                guard character.unicodeScalars.count == 1,
+                      quotedPairSMTP.contains(characterScalar) else {
                     return nil
                 }
                 escaped = false

Sources/SwiftEmailValidator/RFC2047Coder.swift

@@ -137,7 +137,10 @@ public final class RFC2047Coder {
             digitsCaptured += 1
             if digitsCaptured == 1 { continue nextCharacter }
 
-            guard value >= 0x20 && value != 0x7F,
+            // Reject C0 controls (0x00–0x1F), DEL (0x7F), and C1 controls (0x80–0x9F).
+            // The prior guard (>= 0x20 && != 0x7F) inadvertently admitted 0x80–0x9F, which
+            // String(data:encoding:isoLatin1) maps to U+0080–U+009F (C1 control characters).
+            guard (value >= 0x20 && value < 0x7F) || value >= 0xA0,
                   let decodedCharacter = String(data: Data([value]), encoding: stringEncoding)
             else {
                 return nil

Tests/SwiftEmailValidatorTests/EmailSyntaxValidatorTests.swift

@@ -1030,17 +1030,12 @@ final class EmailSyntaxValidatorTests: XCTestCase {
         }
     }
 
-    // MARK: - Review: Tests documenting bugs (will fail until code is fixed)
+    // MARK: - Unicode noncharacter and reserved codepoint exclusions
 
     func testUnicodeNonCharactersRejectedInLocalPart() {
         // Unicode permanently-reserved noncharacters (U+FDD0–U+FDEF, U+FFFE, U+FFFF)
         // have no defined semantics and per Unicode §23.7 are "forbidden for use in
-        // open interchange of Unicode text data."
-        // Bug: these fall in nonAsciiBmpHigh (0xE000–0xFFFF) and survive all
-        // .subtracting() calls — bmpPrivateUseChars only covers up to U+F8FF,
-        // and zeroWidthAndInvisibleChars does not list this range.
-        // The explicit scalar guard in extractDotAtom only starts at 0xE0000 (SSP),
-        // so U+FDD0–U+FFFF are currently accepted.
+        // open interchange of Unicode text data." Both local-part formats must reject them.
         let permissive: (String) -> Bool = { _ in true }
         let nonCharacters: [(Unicode.Scalar, String)] = [
             (Unicode.Scalar(0xFDD0)!, "U+FDD0 (first noncharacter in FDD0–FDEF range)"),
@@ -1064,11 +1059,8 @@ final class EmailSyntaxValidatorTests: XCTestCase {
     }
 
     func testReservedFormatCharU2065RejectedInLocalPart() {
-        // U+2065 is an unassigned/reserved code point that sits in the gap between
-        // zeroWidthAndInvisibleChars (ends at U+2064) and bidiFormattingChars (starts at U+2066).
-        // It should be excluded like its immediate neighbours U+2064 and U+2066.
-        // Bug: neither the CharacterSet nor the inline scalar guard in extractQuotedString
-        // covers this single code point.
+        // U+2065 is unassigned/reserved and sits between invisible format chars (U+2060–U+2064)
+        // and bidi formatting chars (U+2066–U+2069). It must be excluded like its neighbours.
         let permissive: (String) -> Bool = { _ in true }
         XCTAssertNil(
             EmailSyntaxValidator.mailbox(from: "user\u{2065}@site.com",
@@ -1095,10 +1087,8 @@ final class EmailSyntaxValidatorTests: XCTestCase {
 
     func testEscapedMultiScalarClusterRejectedInUnicodeQuotedString() {
         // RFC 5321 §3.3: quoted-pair = "\" (VCHAR / WSP) — exactly one printable ASCII character.
-        // Bug: in Unicode mode the escape path checks only characterScalar (first scalar) against
-        // quotedPairSMTP (0x20–0x7E). A grapheme cluster with a non-ASCII combining scalar
-        // (e.g., e + U+0301 combining acute = decomposed "é", 2 scalars) passes because the
-        // first scalar 'e' is in the ASCII-printable range.
+        // A multi-scalar grapheme cluster in an escape position must be rejected even if its
+        // first scalar is ASCII-printable (e.g. e + U+0301 combining acute = 2 scalars).
         let permissive: (String) -> Bool = { _ in true }
         // "\" followed by e+U+0301 (two-scalar grapheme cluster) in a quoted local part
         let twoScalarEscaped = "\"\\" + "e\u{0301}" + "\"@site.com"
@@ -1114,4 +1104,39 @@ final class EmailSyntaxValidatorTests: XCTestCase {
             "Escaped single ASCII scalar must still be accepted"
         )
     }
+
+    func testSupplementaryPlanes4Through13RejectedInLocalPart() {
+        // Planes 4–13 (U+40000–U+DFFFF) are entirely unassigned in Unicode and must be rejected.
+        let permissive: (String) -> Bool = { _ in true }
+        let planeProbes: [(Unicode.Scalar, String)] = [
+            (Unicode.Scalar(0x40000)!, "U+40000 (first scalar of Plane 4, unassigned)"),
+            (Unicode.Scalar(0x7FFFF)!, "U+7FFFF (last scalar of Plane 7, unassigned)"),
+            (Unicode.Scalar(0x80000)!, "U+80000 (first scalar of Plane 8, unassigned)"),
+            (Unicode.Scalar(0xDFFFF)!, "U+DFFFF (last scalar of Plane 13, unassigned)"),
+        ]
+        for (scalar, name) in planeProbes {
+            let char = String(scalar)
+            XCTAssertNil(
+                EmailSyntaxValidator.mailbox(from: "user\(char)@site.com",
+                    compatibility: .unicode, domainValidator: permissive),
+                "\(name) must be rejected in dot-atom local part"
+            )
+            XCTAssertNil(
+                EmailSyntaxValidator.mailbox(from: "\"user\(char)\"@site.com",
+                    compatibility: .unicode, domainValidator: permissive),
+                "\(name) must be rejected in quoted-string local part"
+            )
+        }
+        // SMP (Plane 1) characters must remain accepted — the fix must not over-reach
+        XCTAssertNotNil(
+            EmailSyntaxValidator.mailbox(from: "user\u{1F600}@site.com",
+                compatibility: .unicode, domainValidator: permissive),
+            "U+1F600 (emoji, SMP Plane 1) must still be accepted"
+        )
+        XCTAssertNotNil(
+            EmailSyntaxValidator.mailbox(from: "user\u{3FFFF}@site.com",
+                compatibility: .unicode, domainValidator: permissive),
+            "U+3FFFF (last scalar of Plane 3 / TIP, assigned range boundary) must still be accepted"
+        )
+    }
 }

Tests/SwiftEmailValidatorTests/RFC2047CoderTests.swift

@@ -307,14 +307,11 @@ final class RFC2047CoderTests: XCTestCase {
                        "Clean base64 encoded word should decode correctly")
     }
 
-    // MARK: - Review: Test documenting a bug (will fail until code is fixed)
+    // MARK: - C1 control byte rejection in Q-encoded ISO-8859-1/2
 
     func testDecodingLatin1QC1ControlBytesRejected() {
-        // RFC 2047 Q-encoding for ISO-8859-1/2 must reject C1 control bytes (0x80–0x9F).
-        // Bug: the current guard (value >= 0x20 && value != 0x7F) lets bytes 0x80–0x9F through.
-        // String(data: Data([0x80]), encoding: .isoLatin1) succeeds and returns U+0080 (C1 control),
-        // so decode() returns a non-nil string containing a C1 character instead of nil.
-        // The fix is: (value >= 0x20 && value < 0x7F) || value >= 0xA0
+        // C1 control bytes (0x80–0x9F) must be rejected from Q-encoded ISO-8859-1/2 words.
+        // They are not valid interchange characters and must not decode to C1 Unicode scalars.
         XCTAssertNil(RFC2047Coder.decode("=?iso-8859-1?q?=80?="),
                      "0x80 (first C1 control) must be rejected from Q-encoded ISO-8859-1")
         XCTAssertNil(RFC2047Coder.decode("=?iso-8859-1?q?=90?="),