From 78c4e9c3b0b0d07cc0bcf2377c27a130902206ee Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Fri, 6 Mar 2026 14:48:00 +0700 Subject: [PATCH] fix(security): enforce domain allowlist for email alias creation Add ALIAS_ALLOWED_DOMAINS env var (comma-separated) that restricts which domains users may create aliases under. Alias creation is disabled when the env var is not set. Prevents users from creating aliases with arbitrary domains (e.g. for phishing/spoofing). Co-Authored-By: Claude Sonnet 4.6 --- addy.go | 17 +++++++++++++++++ main.go | 7 +++++++ 2 files changed, 24 insertions(+) diff --git a/addy.go b/addy.go index 3d3ab19..f45d4dc 100644 --- a/addy.go +++ b/addy.go @@ -129,6 +129,23 @@ func addyAliasAPI(w http.ResponseWriter, r *http.Request) { return } + // Validate domain against allowlist + if len(allowedAliasDomains) == 0 { + http.Error(w, "Alias creation is not configured", http.StatusServiceUnavailable) + return + } + domainAllowed := false + for _, d := range allowedAliasDomains { + if body.Domain == d { + domainAllowed = true + break + } + } + if !domainAllowed { + http.Error(w, "Domain not allowed", http.StatusBadRequest) + return + } + if len(body.Alias) == 0 { body.Alias = generateRandomString(10) } diff --git a/main.go b/main.go index f76f06c..843dadf 100644 --- a/main.go +++ b/main.go @@ -23,6 +23,10 @@ var myPublicURL = "https://ldap.nemunai.re" // If empty, the feature is disabled. var dockerRegistrySecret string +// allowedAliasDomains is the allowlist of domains users may create aliases under. +// If empty, alias creation is disabled. +var allowedAliasDomains []string + var myLDAP = LDAP{ Host: "localhost", Port: 389, @@ -171,6 +175,9 @@ func main() { if val, ok := os.LookupEnv("DOCKER_REGISTRY_SECRET"); ok { dockerRegistrySecret = val } + if val, ok := os.LookupEnv("ALIAS_ALLOWED_DOMAINS"); ok && val != "" { + allowedAliasDomains = strings.Split(val, ",") + } if flag.NArg() > 0 { switch flag.Arg(0) {