Security: reject Plane 1-3 supplementary noncharacters in local parts

ekscrypto · claude · ekscrypto · commit 7a09a1628e31 · 2026-04-09T21:28:42.000-04:00
Unicode §23.7 permanently reserves U+nFFFE and U+nFFFF for every plane
(n=1..16) as noncharacters forbidden in open interchange. The explicit
scalar guards covered Planes 4-13 (U+40000-U+DFFFF) and SSP/PUA
(U+E0000+), but missed the six noncharacters in Planes 1-3:
U+1FFFE/U+1FFFF (SMP), U+2FFFE/U+2FFFF (SIP), U+3FFFE/U+3FFFF (TIP).

Add explicit value checks for all six in extractDotAtom and the
extractQuotedString inline guard. Fix the incorrect XCTAssertNotNil for
U+3FFFF (a §23.7 noncharacter, not an assigned scalar). Add
testSupplementaryNonCharactersPlanes1Through3RejectedInLocalPart to
cover all six values plus boundary confirmation that U+1FFFD, U+2FFFD,
and U+3FFFD remain accepted.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/Sources/SwiftEmailValidator/EmailSyntaxValidator.swift b/Sources/SwiftEmailValidator/EmailSyntaxValidator.swift
@@ -412,11 +412,17 @@ public final class EmailSyntaxValidator {
                       // Reject supplementary-plane ranges excluded from allowedCharacterSet via
                       // explicit scalar guards (Foundation CharacterSet.contains() is reliable for
                       // individual scalars, but belt-and-suspenders for these security-sensitive ranges):
+                      // U+1FFFE-U+1FFFF: Plane 1 (SMP) noncharacters — Unicode §23.7 permanently reserved
+                      // U+2FFFE-U+2FFFF: Plane 2 (SIP) noncharacters — Unicode §23.7 permanently reserved
+                      // U+3FFFE-U+3FFFF: Plane 3 (TIP) noncharacters — Unicode §23.7 permanently reserved
                       // U+40000-U+DFFFF: Planes 4-13 (entirely unassigned in Unicode)
                       // U+E0000-U+EFFFF: entire SSP (Tags block, unassigned gaps, VS Supplement)
                       // U+F0000-U+10FFFF: Supplementary PUA-A/B
                       && !label.unicodeScalars.contains(where: {
-                          ($0.value >= 0x40000 && $0.value <= 0xDFFFF)   // Planes 4-13 (entirely unassigned)
+                          ($0.value == 0x1FFFE || $0.value == 0x1FFFF)   // Plane 1 noncharacters (§23.7)
+                          || ($0.value == 0x2FFFE || $0.value == 0x2FFFF) // Plane 2 noncharacters (§23.7)
+                          || ($0.value == 0x3FFFE || $0.value == 0x3FFFF) // Plane 3 noncharacters (§23.7)
+                          || ($0.value >= 0x40000 && $0.value <= 0xDFFFF)  // Planes 4-13 (entirely unassigned)
                           || ($0.value >= 0xE0000 && $0.value <= 0x10FFFF) // Entire SSP + PUA-A/B
                       })
               })
@@ -465,6 +471,9 @@ public final class EmailSyntaxValidator {
                 (s.value == 0x2028 || s.value == 0x2029) ||     // U+2028 Line Sep, U+2029 Para Sep
                 (s.value >= 0xFDD0 && s.value <= 0xFDEF) ||     // U+FDD0-U+FDEF Unicode noncharacters
                 (s.value == 0xFFFE || s.value == 0xFFFF) ||     // U+FFFE/U+FFFF BMP noncharacters
+                (s.value == 0x1FFFE || s.value == 0x1FFFF) ||   // Plane 1 noncharacters (§23.7)
+                (s.value == 0x2FFFE || s.value == 0x2FFFF) ||   // Plane 2 noncharacters (§23.7)
+                (s.value == 0x3FFFE || s.value == 0x3FFFF) ||   // Plane 3 noncharacters (§23.7)
                 (s.value >= 0x40000 && s.value <= 0xDFFFF) ||   // Planes 4-13 (entirely unassigned)
                 (s.value >= 0xE0000 && s.value <= 0x10FFFF)     // Entire SSP (Tags, unassigned gaps, VS Sup) + PUA-A/B
             }) else {
diff --git a/Tests/SwiftEmailValidatorTests/EmailSyntaxValidatorTests.swift b/Tests/SwiftEmailValidatorTests/EmailSyntaxValidatorTests.swift
@@ -1133,10 +1133,59 @@ final class EmailSyntaxValidatorTests: XCTestCase {
                 compatibility: .unicode, domainValidator: permissive),
             "U+1F600 (emoji, SMP Plane 1) must still be accepted"
         )
-        XCTAssertNotNil(
+        // U+3FFFF is a Unicode §23.7 noncharacter (U+nFFFF pattern, n=3) and must be rejected.
+        // It was previously incorrectly asserted as accepted.
+        XCTAssertNil(
             EmailSyntaxValidator.mailbox(from: "user\u{3FFFF}@site.com",
                 compatibility: .unicode, domainValidator: permissive),
-            "U+3FFFF (last scalar of Plane 3 / TIP, assigned range boundary) must still be accepted"
+            "U+3FFFF (Plane 3 noncharacter per §23.7) must be rejected"
+        )
+    }
+
+    // MARK: - Plane 1–3 supplementary noncharacter exclusions
+
+    func testSupplementaryNonCharactersPlanes1Through3RejectedInLocalPart() {
+        // Unicode §23.7: for every plane n=1..16, U+nFFFE and U+nFFFF are permanently reserved
+        // noncharacters "forbidden for use in open interchange of Unicode text data."
+        // Planes 1 (SMP), 2 (SIP), and 3 (TIP) each have two such noncharacters that were
+        // previously not covered by the Planes 4-13 or SSP/PUA scalar guards.
+        let permissive: (String) -> Bool = { _ in true }
+        let plane123NonChars: [(Unicode.Scalar, String)] = [
+            (Unicode.Scalar(0x1FFFE)!, "U+1FFFE (Plane 1 / SMP noncharacter)"),
+            (Unicode.Scalar(0x1FFFF)!, "U+1FFFF (Plane 1 / SMP noncharacter)"),
+            (Unicode.Scalar(0x2FFFE)!, "U+2FFFE (Plane 2 / SIP noncharacter)"),
+            (Unicode.Scalar(0x2FFFF)!, "U+2FFFF (Plane 2 / SIP noncharacter)"),
+            (Unicode.Scalar(0x3FFFE)!, "U+3FFFE (Plane 3 / TIP noncharacter)"),
+            (Unicode.Scalar(0x3FFFF)!, "U+3FFFF (Plane 3 / TIP noncharacter)"),
+        ]
+        for (scalar, name) in plane123NonChars {
+            let char = String(scalar)
+            XCTAssertNil(
+                EmailSyntaxValidator.mailbox(from: "user\(char)@site.com",
+                    compatibility: .unicode, domainValidator: permissive),
+                "\(name) must be rejected in dot-atom local part (Unicode §23.7 noncharacter)"
+            )
+            XCTAssertNil(
+                EmailSyntaxValidator.mailbox(from: "\"user\(char)\"@site.com",
+                    compatibility: .unicode, domainValidator: permissive),
+                "\(name) must be rejected in quoted-string local part (Unicode §23.7 noncharacter)"
+            )
+        }
+        // Confirm adjacent assigned scalars remain accepted
+        XCTAssertNotNil(
+            EmailSyntaxValidator.mailbox(from: "user\u{1FFFD}@site.com",
+                compatibility: .unicode, domainValidator: permissive),
+            "U+1FFFD (last assigned Plane 1 scalar, Linear B Syllabary) must remain accepted"
+        )
+        XCTAssertNotNil(
+            EmailSyntaxValidator.mailbox(from: "user\u{2FFFD}@site.com",
+                compatibility: .unicode, domainValidator: permissive),
+            "U+2FFFD (last assigned Plane 2 scalar) must remain accepted"
+        )
+        XCTAssertNotNil(
+            EmailSyntaxValidator.mailbox(from: "user\u{3FFFD}@site.com",
+                compatibility: .unicode, domainValidator: permissive),
+            "U+3FFFD (last assigned Plane 3 scalar) must remain accepted"
         )
     }
 }
