Security: fix RFC 2047 75-char limit; block supplementary PUA in local parts

ekscrypto · claude · ekscrypto · commit 8ef63b626ce3 · 2026-04-09T19:40:52.000-04:00
Bug 1 (RFC 2047 off-by-one): RFC 2047 §2 caps an encoded-word at 75
characters. The limit check used &lt;= 76, allowing one extra character
beyond the spec. Changed to &lt;= 75.

Bug 2 (supplementary PUA spoofing): The BMP Private Use Area
(U+E000-U+F8FF) was already blocked to prevent spoofing, but the
supplementary PUA-A (U+F0000-U+FFFFF) and PUA-B (U+100000-U+10FFFF)
were implicitly allowed via the supplementaryPlanes union. Added
explicit scalar guards in extractDotAtom and extractQuotedString to
reject these ranges consistently. Emoji and historic-script SMP
characters remain accepted.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/Sources/SwiftEmailValidator/EmailSyntaxValidator.swift b/Sources/SwiftEmailValidator/EmailSyntaxValidator.swift
@@ -388,8 +388,9 @@ public final class EmailSyntaxValidator {
                       // U+E0000-U+E007F Unicode Tags block (deprecated invisible-text markup)
                       // U+E0100-U+E01EF Variation Selectors Supplement (invisible combiners, spoofing)
                       && !label.unicodeScalars.contains(where: {
-                          ($0.value >= 0xE0000 && $0.value <= 0xE007F)
-                          || ($0.value >= 0xE0100 && $0.value <= 0xE01EF)
+                          ($0.value >= 0xE0000 && $0.value <= 0xE007F)   // Unicode Tags block
+                          || ($0.value >= 0xE0100 && $0.value <= 0xE01EF) // Variation Selectors Supplement
+                          || ($0.value >= 0xF0000 && $0.value <= 0x10FFFF) // Supplementary PUA-A/B
                       })
               })
         else {
@@ -436,7 +437,8 @@ public final class EmailSyntaxValidator {
                 (s.value >= 0xFE00 && s.value <= 0xFE0F) ||     // U+FE00-U+FE0F Variation Selectors
                 (s.value >= 0xE0000 && s.value <= 0xE007F) ||   // U+E0000-U+E007F Unicode Tags block
                 (s.value >= 0xE0100 && s.value <= 0xE01EF) ||   // U+E0100-U+E01EF Variation Selectors Supplement
-                (s.value == 0x2028 || s.value == 0x2029)        // U+2028 Line Sep, U+2029 Para Sep
+                (s.value == 0x2028 || s.value == 0x2029) ||     // U+2028 Line Sep, U+2029 Para Sep
+                (s.value >= 0xF0000 && s.value <= 0x10FFFF)     // Supplementary PUA-A/B
             }) else {
                 return nil
             }
diff --git a/Sources/SwiftEmailValidator/RFC2047Coder.swift b/Sources/SwiftEmailValidator/RFC2047Coder.swift
@@ -80,7 +80,7 @@ public final class RFC2047Coder {
     /// - Quoted-Printable only supports ISO-8859-1 and ISO-8859-2 charsets
     public static func decode(_ encoded: String) -> String? {
         
-        guard encoded.count <= 76 else {
+        guard encoded.count <= 75 else {
             return nil
         }
         let encodingComponents = match(regex: rfc2047regex, to: encoded)
diff --git a/Tests/SwiftEmailValidatorTests/EmailSyntaxValidatorTests.swift b/Tests/SwiftEmailValidatorTests/EmailSyntaxValidatorTests.swift
@@ -785,4 +785,42 @@ final class EmailSyntaxValidatorTests: XCTestCase {
             "U+1F600 (emoji, SMP) just below Tags block should still be accepted"
         )
     }
+
+    // MARK: - Bug 2: Supplementary PUA (U+F0000-U+10FFFF)
+
+    func testSupplementaryPrivateUseAreaRejectedInLocalPart() {
+        // Supplementary Private Use Area-A (U+F0000-U+FFFFF) and -B (U+100000-U+10FFFF)
+        // carry the same spoofing risk as the BMP Private Use Area (U+E000-U+F8FF),
+        // which is already blocked. Private-use characters have no standardised rendering
+        // and can appear identical to common glyphs in custom fonts.
+        let permissive: (String) -> Bool = { _ in true }
+        let supplementaryPUAChars: [(Unicode.Scalar, String)] = [
+            (Unicode.Scalar(0xF0000)!, "U+F0000 Supplementary PUA-A first"),
+            (Unicode.Scalar(0xF0001)!, "U+F0001 Supplementary PUA-A"),
+            (Unicode.Scalar(0xFFFFD)!, "U+FFFFD Supplementary PUA-A last valid"),
+            (Unicode.Scalar(0x100000)!, "U+100000 Supplementary PUA-B first"),
+            (Unicode.Scalar(0x100001)!, "U+100001 Supplementary PUA-B"),
+            (Unicode.Scalar(0x10FFFD)!, "U+10FFFD Supplementary PUA-B last valid"),
+        ]
+        for (scalar, name) in supplementaryPUAChars {
+            let char = String(scalar)
+            XCTAssertNil(
+                EmailSyntaxValidator.mailbox(from: "user\(char)@site.com", compatibility: .unicode, domainValidator: permissive),
+                "\(name) must be rejected in dot-atom local part (supplementary PUA spoofing prevention)"
+            )
+            XCTAssertNil(
+                EmailSyntaxValidator.mailbox(from: "\"user\(char)\"@site.com", compatibility: .unicode, domainValidator: permissive),
+                "\(name) must be rejected in quoted-string local part (supplementary PUA spoofing prevention)"
+            )
+        }
+        // Confirm legitimate SMP characters (emoji, historic scripts) remain accepted
+        XCTAssertNotNil(
+            EmailSyntaxValidator.mailbox(from: "user\u{1F600}@site.com", compatibility: .unicode, domainValidator: permissive),
+            "U+1F600 (emoji, SMP) must still be accepted"
+        )
+        XCTAssertNotNil(
+            EmailSyntaxValidator.mailbox(from: "user\u{1D400}@site.com", compatibility: .unicode, domainValidator: permissive),
+            "U+1D400 (Mathematical Bold A, SMP) must still be accepted"
+        )
+    }
 }
diff --git a/Tests/SwiftEmailValidatorTests/RFC2047CoderTests.swift b/Tests/SwiftEmailValidatorTests/RFC2047CoderTests.swift
@@ -260,6 +260,30 @@ final class RFC2047CoderTests: XCTestCase {
         XCTAssertNil(RFC2047Coder.decode("=?utf-8?b?dGVz dA?="), "Spaces in encoded text should cause failure or be handled per RFC")
     }
 
+    // MARK: - Bug 1: RFC 2047 75-character limit
+
+    func testDecode75CharLimitEnforced() {
+        // RFC 2047 §2: "An 'encoded-word' may not be more than 75 characters long".
+        // Overhead: "=?iso-8859-1?q?" (15) + "?=" (2) = 17 chars → 58 chars of content hits 75 exactly.
+        let prefix = "=?iso-8859-1?q?"
+        let suffix = "?="
+        let overhead = prefix.count + suffix.count  // 17
+
+        // Exactly 75 chars → accepted
+        let content75 = String(repeating: "a", count: 75 - overhead)
+        let encoded75 = prefix + content75 + suffix
+        XCTAssertEqual(encoded75.count, 75)
+        XCTAssertNotNil(RFC2047Coder.decode(encoded75),
+                        "Encoded word of exactly 75 chars must be accepted per RFC 2047 §2")
+
+        // 76 chars → must be rejected (was incorrectly accepted before the fix)
+        let content76 = String(repeating: "a", count: 76 - overhead)
+        let encoded76 = prefix + content76 + suffix
+        XCTAssertEqual(encoded76.count, 76)
+        XCTAssertNil(RFC2047Coder.decode(encoded76),
+                     "Encoded word of 76 chars must be rejected per RFC 2047 §2 (max is 75)")
+    }
+
     func testDecodeGreedyRegexNoExtraContent() {
         // The RFC2047 regex uses (.*) which is greedy. For "=?utf-8?b?aGVsbG8=?=extra?=",
         // the greedy match captures "aGVsbG8=?=extra" as the encoded text. The '?' character

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ public final class RFC2047Coder {`
`80`	`80`	`/// - Quoted-Printable only supports ISO-8859-1 and ISO-8859-2 charsets`
`81`	`81`	`public static func decode(_ encoded: String) -> String? {`
`82`	`82`
`83`		`- guard encoded.count <= 76 else {`
	`83`	`+ guard encoded.count <= 75 else {`
`84`	`84`	`return nil`
`85`	`85`	`}`
`86`	`86`	`let encodingComponents = match(regex: rfc2047regex, to: encoded)`