From 77794e0b26780b1dc14fae719c45fde9528aee14 Mon Sep 17 00:00:00 2001
From: Billy Zhou <bz@zammad.com>
Date: Wed, 19 Dec 2018 03:54:03 +0100
Subject: [PATCH] =?UTF-8?q?Fixed=20#2390=20-=20Add=20a=20filter=20to=20not?=
 =?UTF-8?q?=20show=20emails=20with=20potential=20issue=20-=20Display=20a?=
 =?UTF-8?q?=E2=80=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/models/channel/email_parser.rb       |  9 +++++++--
 spec/models/channel/email_parser_spec.rb | 25 ++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/app/models/channel/email_parser.rb b/app/models/channel/email_parser.rb
index be212453f..96951c6d2 100644
--- a/app/models/channel/email_parser.rb
+++ b/app/models/channel/email_parser.rb
@@ -6,6 +6,7 @@ class Channel::EmailParser
   EMAIL_REGEX = /.+@.+/
   RECIPIENT_FIELDS = %w[to cc delivered-to x-original-to envelope-to].freeze
   SENDER_FIELDS = %w[from reply-to return-path sender].freeze
+  EXCESSIVE_LINKS_MSG = 'This message cannot be displayed because it contains over 5,000 links. Download the raw message below and open it via an Email client if you still wish to view it.'.freeze
 
 =begin
 
@@ -542,9 +543,13 @@ process unprocessable_mails (tmp/unprocessable_mail/*.eml) again
     body_text = body_text.utf8_encode(from: message.charset, fallback: :read_as_sanitized_binary)
     body_text = Mail::Utilities.to_lf(body_text)
 
-    return body_text.html2html_strict if options[:strict_html]
+    # plaintext body requires no processing
+    return body_text if !options[:strict_html]
 
-    body_text
+    # Issue #2390 - emails with >5k HTML links should be rejected
+    return EXCESSIVE_LINKS_MSG if body_text.scan(/<a[[:space:]]/i).count >= 5_000
+
+    body_text.html2html_strict
   end
 
   def collect_attachments(mail)
diff --git a/spec/models/channel/email_parser_spec.rb b/spec/models/channel/email_parser_spec.rb
index 80562efda..c7c65efbd 100644
--- a/spec/models/channel/email_parser_spec.rb
+++ b/spec/models/channel/email_parser_spec.rb
@@ -138,5 +138,30 @@ RSpec.describe Channel::EmailParser, type: :model do
         end
       end
     end
+
+    context 'mail with links' do
+
+      def mock_mail(number_of_links)
+        link = '<a href="https://zammad.com/">Dummy Link</a> '
+
+        mail = Mail.new
+        mail.html_part = "<html><body>#{link * number_of_links}</body></html>"
+        mail
+      end
+
+      let(:mail_10) { mock_mail(10).to_s   }
+      let(:mail_5k) { mock_mail(5001).to_s }
+
+      # regression test for issue 2390 - Add a postmaster filter to not show emails with potential issue
+      it '(>5k links) are replaced by a warning message' do
+        expect( described_class.new.parse(mail_5k)[:body] )
+          .to eql( Channel::EmailParser::EXCESSIVE_LINKS_MSG )
+      end
+
+      it '(10 links) are not touched' do
+        expect( described_class.new.parse(mail_10)[:body] )
+          .to start_with( '<a href="https://zammad.com/"' )
+      end
+    end
   end
 end