Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

E-Mail Validation doesn't cover new TLDs #450

Closed
einfallstoll opened this issue Nov 16, 2015 · 3 comments
Closed

E-Mail Validation doesn't cover new TLDs #450

einfallstoll opened this issue Nov 16, 2015 · 3 comments

Comments

@einfallstoll
Copy link

The current RegEx for E-Mails doesn't work for my E-Mail Address which included a new TLD .solutions.

It does work with the RegEx found here: http://emailregex.com

$ node
> "[email protected]".match(/^((([a-z]|\d|[!#\$%&'\*\+\-\/=\?\^_`{\|}~])+(\.([a-z]|\d|[!#\$%&'\*\+\-\/=\?\^_`{\|}~])+)*)|((\x22)((((\x20|\x09)*(\x0d\x0a))?(\x20|\x09)+)?(([\x01-\x08\x0b\x0c\x0e-\x1f\x7f]|\x21|[\x23-\x5b]|[\x5d-\x7e])|(\\[\x01-\x09\x0b\x0c\x0d-\x7f])))*(((\x20|\x09)*(\x0d\x0a))?(\x20|\x09)+)?(\x22)))$/i)
null
> "[email protected]".match(/(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])/)
[ '[email protected]',
  index: 0,
  input: '[email protected]' ]
@chriso
Copy link
Collaborator

chriso commented Nov 16, 2015

Your email address is valid according to the library:

> validator.isEmail('[email protected]');
true

The isEmail validator isn't just one regex pattern. It validates the local user part with regex and then validates the domain part with the validator.isFQDN validator. It breaks the validation up in this way to prevent a ReDoS attack (#152). The regex you pasted from emailregex.com is also vulnerable and should not be used in production.

@chriso chriso closed this as completed Nov 16, 2015
@einfallstoll
Copy link
Author

@chriso Thanks for the explanation and the reference to ReDoS Attacks (first time I heard this, but definitely something I'll keep in mind in the future).

The reason I assumed that there's a bug in validator.js is because my E-Mail was rejected by sails.js and I tracked the validation code all the way down to validator.js where I looked for some useful code regarding E-Mail validation and then I came across the RegExp.

I later tested my E-Mail Address directly against validator.js and I can approve that there must be a problem in a higher level dependency of sails.

Thank you anyway for the explanation and the time to teach me something new. I really appreciate that!

@chriso
Copy link
Collaborator

chriso commented Nov 17, 2015

@einfallstoll no problem. Support for gTLDs was added to this library at some stage, so I bet one of the dependencies is using an older version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chriso @einfallstoll