Security: fix domain octet limits, block Variation Selectors, drop .inverted on supplementary-plane sets

RFC compliance (Bug 1):
- Domain total-length check now uses .utf8.count ≤ 253 (was .count)
- Per-label length check now uses .utf8.count ≤ 63 (was .count)
- RFC 1035 §2.3.4 specifies octets; multi-byte Unicode labels could
  previously exceed the byte limit while passing the character-count check

Spoofing prevention (Bug 2):
- Add U+FE00-U+FE0F (Variation Selectors) to zeroWidthAndInvisibleChars
  so they are subtracted from atextUnicode/qtextUnicode character sets
- Add explicit scalar guards for U+E0100-U+E01EF (Variation Selectors
  Supplement) in extractDotAtom and extractQuotedString
- VS chars combine invisibly with adjacent base characters; "user\uFE01"
  renders identically to "user" — same spoofing risk as ZWJ/ZWNJ

Foundation CharacterSet bug (Bug 3):
- Replace .inverted usage on sets containing supplementary planes with
  per-scalar allSatisfy({ set.contains($0) }) throughout:
  extractDotAtom (disallowedCharacterSet → allowedCharacterSet),
  candidateForRfc2047 (rangeOfCharacter inverted check)
- Foundation's CharacterSet bitmap inversion is unreliable for
  supplementary-plane scalars; direct containment queries are not

Tests: add testDomainLabelUnicodeByteLengthEnforced,
       testTotalDomainUnicodeByteLengthEnforced,
       testVariationSelectorsRejectedInLocalPart (BMP + Supplement)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: ekscrypto

Sources/SwiftEmailValidator/EmailSyntaxValidator.swift

@@ -197,9 +197,10 @@ public final class EmailSyntaxValidator {
     /// - Returns: Repackaged email string (may still fail SMTP validation) or nil if really nothing that could be done
     private static func candidateForRfc2047(_ candidate: String, compatibility: Compatibility) -> String? {
 
+        // Avoid .inverted on sets containing supplementary planes — use per-scalar containment.
         guard compatibility == .asciiWithUnicodeExtension,
               !candidate.hasPrefix("=?"),
-              candidate.rangeOfCharacter(from: qtextUnicodeSMTPCharacterSet.inverted) == nil
+              candidate.unicodeScalars.allSatisfy({ qtextUnicodeSMTPCharacterSet.contains($0) })
         else {
             // There are some unsupported ASCII characters which are invalid regardless of unicode or ASCII (newline, tabs, etc)
             return nil
@@ -235,16 +236,16 @@ public final class EmailSyntaxValidator {
         // RFC 5321: host must not be empty
         guard !candidate.isEmpty else { return nil }
 
-        // RFC 1035: total domain must be ≤253 chars
-        guard candidate.count <= 253 else { return nil }
+        // RFC 1035: total domain must be ≤253 octets
+        guard candidate.utf8.count <= 253 else { return nil }
 
         // Split without omitting empty subsequences so that consecutive dots (empty labels),
         // leading dots, and trailing dots are all caught by the per-label checks below.
         let labels = candidate.split(separator: ".", omittingEmptySubsequences: false)
         guard labels.allSatisfy({ label in
             let s = String(label)
             return s.count >= 1          // no empty labels (catches .., leading/trailing dot)
-                && s.count <= 63         // RFC 1035: each label ≤63 chars
+                && s.utf8.count <= 63    // RFC 1035: each label ≤63 octets
                 && !s.hasPrefix("-")     // RFC 1123: no leading hyphen
                 && !s.hasSuffix("-")     // RFC 1123: no trailing hyphen
                 && s.unicodeScalars.allSatisfy({ domainLabelCharacterSet.contains($0) })
@@ -305,6 +306,7 @@ public final class EmailSyntaxValidator {
         .union(CharacterSet(charactersIn: Unicode.Scalar(0x2060)!...Unicode.Scalar(0x2064)!)) // U+2060 Word Joiner, U+2061-U+2064 invisible math operators
         .union(CharacterSet(charactersIn: Unicode.Scalar(0xFEFF)!...Unicode.Scalar(0xFEFF)!)) // U+FEFF BOM / Zero Width No-Break Space
         .union(CharacterSet(charactersIn: Unicode.Scalar(0x2028)!...Unicode.Scalar(0x2029)!)) // U+2028 Line Separator, U+2029 Paragraph Separator
+        .union(CharacterSet(charactersIn: Unicode.Scalar(0xFE00)!...Unicode.Scalar(0xFE0F)!)) // U+FE00-U+FE0F Variation Selectors (invisible combiners, spoofing)
 
     // Note: CharacterSet.inverted doesn't properly include supplementary planes (U+10000+).
     // Using .inverted on an ASCII-range set also leaks supplementary scalars into the result on
@@ -369,17 +371,26 @@ public final class EmailSyntaxValidator {
         }
 
         let dotAtom = candidate[..<atRange.lowerBound]
-        let disallowedCharacterSet: CharacterSet = compatibility == .ascii ? atextCharacterSet.inverted : atextUnicodeCharacterSet.inverted
+        // Avoid .inverted on sets containing supplementary planes — Foundation has a known bug
+        // where .inverted doesn't correctly handle supplementary-plane bitmaps. Check membership
+        // in the allowed set directly using per-scalar containment instead.
+        let allowedCharacterSet: CharacterSet = compatibility == .ascii ? atextCharacterSet : atextUnicodeCharacterSet
         guard dotAtom.count > 0,
               dotAtom.utf8.count <= 64,
               !dotAtom.hasPrefix("."),
               !dotAtom.hasSuffix("."),
               dotAtom.components(separatedBy: ".").allSatisfy({ label in
                   label.count > 0
-                      && label.rangeOfCharacter(from: disallowedCharacterSet) == nil
-                      // Reject Unicode Tags block (U+E0000-U+E007F): deprecated invisible-text
-                      // characters included in supplementaryPlanes but unsafe for email.
-                      && !label.unicodeScalars.contains(where: { $0.value >= 0xE0000 && $0.value <= 0xE007F })
+                      && label.unicodeScalars.allSatisfy({ allowedCharacterSet.contains($0) })
+                      // Reject supplementary-plane ranges excluded from allowedCharacterSet via
+                      // explicit scalar guards (Foundation CharacterSet.contains() is reliable for
+                      // individual scalars, but belt-and-suspenders for these security-sensitive ranges):
+                      // U+E0000-U+E007F Unicode Tags block (deprecated invisible-text markup)
+                      // U+E0100-U+E01EF Variation Selectors Supplement (invisible combiners, spoofing)
+                      && !label.unicodeScalars.contains(where: {
+                          ($0.value >= 0xE0000 && $0.value <= 0xE007F)
+                          || ($0.value >= 0xE0100 && $0.value <= 0xE01EF)
+                      })
               })
         else {
             return nil
@@ -418,11 +429,13 @@ public final class EmailSyntaxValidator {
             // security-excluded scalars that appear as combining elements would slip through.
             // Scan every scalar in the cluster explicitly to prevent this.
             guard !character.unicodeScalars.contains(where: { s in
-                s.value == 0x00AD ||                          // U+00AD Soft Hyphen
-                (s.value >= 0x200B && s.value <= 0x200D) ||   // U+200B-U+200D ZWS/ZWNJ/ZWJ
-                (s.value >= 0x2060 && s.value <= 0x2064) ||   // U+2060-U+2064 invisible format chars
-                s.value == 0xFEFF ||                          // U+FEFF BOM
-                (s.value >= 0xE0000 && s.value <= 0xE007F) ||  // U+E0000-U+E007F Unicode Tags block
+                s.value == 0x00AD ||                            // U+00AD Soft Hyphen
+                (s.value >= 0x200B && s.value <= 0x200D) ||     // U+200B-U+200D ZWS/ZWNJ/ZWJ
+                (s.value >= 0x2060 && s.value <= 0x2064) ||     // U+2060-U+2064 invisible format chars
+                s.value == 0xFEFF ||                            // U+FEFF BOM
+                (s.value >= 0xFE00 && s.value <= 0xFE0F) ||     // U+FE00-U+FE0F Variation Selectors
+                (s.value >= 0xE0000 && s.value <= 0xE007F) ||   // U+E0000-U+E007F Unicode Tags block
+                (s.value >= 0xE0100 && s.value <= 0xE01EF) ||   // U+E0100-U+E01EF Variation Selectors Supplement
                 (s.value == 0x2028 || s.value == 0x2029)        // U+2028 Line Sep, U+2029 Para Sep
             }) else {
                 return nil

Tests/SwiftEmailValidatorTests/EmailSyntaxValidatorTests.swift

@@ -479,6 +479,49 @@ final class EmailSyntaxValidatorTests: XCTestCase {
                         "Domain with valid-length labels totaling < 253 chars should be accepted with permissive validator")
     }
 
+    func testDomainLabelUnicodeByteLengthEnforced() {
+        // RFC 1035 §2.3.4: each label must be ≤63 *octets*.
+        // A label composed of 32 two-byte characters is 32 characters (≤63) but 64 UTF-8 bytes (>63).
+        // It must be rejected even though the character count is within the old (wrong) limit.
+        let permissive: (String) -> Bool = { _ in true }
+
+        // "ñ" is U+00F1, 2 UTF-8 bytes. 32 × "ñ" = 32 chars / 64 bytes → label too long in octets.
+        let twoByteChar = "ñ"
+        XCTAssertEqual(twoByteChar.utf8.count, 2)
+        let label64Bytes = String(repeating: twoByteChar, count: 32) // 32 chars, 64 bytes
+        XCTAssertEqual(label64Bytes.count, 32)
+        XCTAssertEqual(label64Bytes.utf8.count, 64)
+        XCTAssertNil(EmailSyntaxValidator.mailbox(from: "user@\(label64Bytes).com", compatibility: .unicode, domainValidator: permissive),
+                     "Domain label with 64 UTF-8 bytes (32 two-byte chars) must be rejected per RFC 1035")
+
+        // 31 × "ñ" = 31 chars / 62 bytes → should be accepted (within both limits).
+        let label62Bytes = String(repeating: twoByteChar, count: 31) // 31 chars, 62 bytes
+        XCTAssertEqual(label62Bytes.utf8.count, 62)
+        XCTAssertNotNil(EmailSyntaxValidator.mailbox(from: "user@\(label62Bytes).com", compatibility: .unicode, domainValidator: permissive),
+                        "Domain label with 62 UTF-8 bytes should be accepted")
+    }
+
+    func testTotalDomainUnicodeByteLengthEnforced() {
+        // RFC 1035 §2.3.4: total domain must be ≤253 *octets*.
+        // Build a domain whose character count is ≤253 but whose UTF-8 byte count exceeds 253.
+        // Each label: 31 × "ñ" (31 chars, 62 bytes); three labels + dots = 62+1+62+1+62 = 188 chars / bytes.
+        // Add a fourth label of 30 two-byte chars: 188+1+60 = 249 chars / 188+1+60 = 249 bytes — ok.
+        // Then push it over 253 bytes without going over 253 chars by using more two-byte chars.
+        let permissive: (String) -> Bool = { _ in true }
+        let twoByteChar = "ñ"
+
+        // Construct a domain that is 127 chars but 254 bytes.
+        // Three labels of 31 "ñ" each = 31*3 + 2 dots = 95 chars / 62*3+2 = 188 bytes.
+        // Add a 4th label of 33 "ñ" = 33 chars / 66 bytes → total 129 chars / 255 bytes → reject.
+        let label31 = String(repeating: twoByteChar, count: 31) // 62 bytes, 31 chars
+        let label33 = String(repeating: twoByteChar, count: 33) // 66 bytes, 33 chars
+        let longByteDomain = "\(label31).\(label31).\(label31).\(label33)"
+        XCTAssertLessThanOrEqual(longByteDomain.count, 253, "character count must be ≤253 to test the byte-count path")
+        XCTAssertGreaterThan(longByteDomain.utf8.count, 253, "byte count must exceed 253 to exercise the fix")
+        XCTAssertNil(EmailSyntaxValidator.mailbox(from: "u@\(longByteDomain)", compatibility: .unicode, domainValidator: permissive),
+                     "Domain exceeding 253 UTF-8 bytes must be rejected even if character count ≤253")
+    }
+
     func testVeryLongRFC2047EncodedString() {
         // RFC2047 has 76-character limit
         // Create a string that when encoded exceeds 76 chars
@@ -641,6 +684,49 @@ final class EmailSyntaxValidatorTests: XCTestCase {
         }
     }
 
+    func testVariationSelectorsRejectedInLocalPart() {
+        // Variation Selectors (U+FE00-U+FE0F) and Variation Selectors Supplement (U+E0100-U+E01EF)
+        // are invisible combining characters. They produce no glyph and render identically to their
+        // base character in all common renderers, making "user\u{FE01}" visually indistinguishable
+        // from "user" — the same spoofing risk as ZWJ/ZWNJ, which are already blocked.
+        let permissive: (String) -> Bool = { _ in true }
+
+        // BMP Variation Selectors (U+FE00-U+FE0F) — spot-check first, middle, last
+        let bmpVariationSelectors: [(String, String)] = [
+            ("\u{FE00}", "U+FE00 Variation Selector-1"),
+            ("\u{FE08}", "U+FE08 Variation Selector-9"),
+            ("\u{FE0F}", "U+FE0F Variation Selector-16"),
+        ]
+        for (char, name) in bmpVariationSelectors {
+            XCTAssertNil(
+                EmailSyntaxValidator.mailbox(from: "user\(char)@site.com", compatibility: .unicode, domainValidator: permissive),
+                "\(name) must be rejected in dot-atom local part (spoofing prevention)"
+            )
+            XCTAssertNil(
+                EmailSyntaxValidator.mailbox(from: "\"user\(char)\"@site.com", compatibility: .unicode, domainValidator: permissive),
+                "\(name) must be rejected in quoted-string local part (spoofing prevention)"
+            )
+        }
+
+        // Variation Selectors Supplement (U+E0100-U+E01EF) — spot-check first, middle, last
+        let supplementVariationSelectors: [(Unicode.Scalar, String)] = [
+            (Unicode.Scalar(0xE0100)!, "U+E0100 Variation Selector-17"),
+            (Unicode.Scalar(0xE0140)!, "U+E0140 Variation Selector-81"),
+            (Unicode.Scalar(0xE01EF)!, "U+E01EF Variation Selector-256"),
+        ]
+        for (scalar, name) in supplementVariationSelectors {
+            let char = String(scalar)
+            XCTAssertNil(
+                EmailSyntaxValidator.mailbox(from: "user\(char)@site.com", compatibility: .unicode, domainValidator: permissive),
+                "\(name) must be rejected in dot-atom local part (spoofing prevention)"
+            )
+            XCTAssertNil(
+                EmailSyntaxValidator.mailbox(from: "\"user\(char)\"@site.com", compatibility: .unicode, domainValidator: permissive),
+                "\(name) must be rejected in quoted-string local part (spoofing prevention)"
+            )
+        }
+    }
+
     func testLineSeparatorCharactersRejectedInLocalPart() {
         // U+2028 (Line Separator) and U+2029 (Paragraph Separator) carry line-break
         // semantics in some runtimes and are not explicitly permitted by RFC 6531/6532.